[openstack-dev] [tripleo] [barbican] [tc] key store in base services

Jeremy Stanley fungi at yuggoth.org
Wed Jun 20 16:37:14 UTC 2018


On 2018-06-06 01:29:49 +0000 (+0000), Jeremy Stanley wrote:
[...]
> Seeing no further objections, I give you
> https://review.openstack.org/572656 for the next step.

That change merged just a few minutes ago, and
https://governance.openstack.org/tc/reference/base-services.html#current-list-of-base-services
now includes:

    A Castellan-compatible key store

    OpenStack components may keep secrets in a key store, using
    Oslo’s Castellan library as an indirection layer. While
    OpenStack provides a Castellan-compatible key store service,
    Barbican, other key store backends are also available for
    Castellan. Note that in the context of the base services set
    Castellan is intended only to provide an interface for services
    to interact with a key store, and it should not be treated as a
    means to proxy API calls from users to that key store. In order
    to reduce unnecessary exposure risks, any user interaction with
    secret material should be left to a dedicated API instead
    (preferably as provided by Barbican).

Thanks to everyone who helped brainstorming/polishing, and here's
looking forward to a ubiquity of default security features and
functionality in future OpenStack releases!
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180620/17459b18/attachment.sig>


More information about the OpenStack-dev mailing list