[openstack-dev] [tripleo] [barbican] [tc] key store in base services
Jeremy Stanley
fungi at yuggoth.org
Wed Jun 20 16:37:14 UTC 2018
On 2018-06-06 01:29:49 +0000 (+0000), Jeremy Stanley wrote:
[...]
> Seeing no further objections, I give you
> https://review.openstack.org/572656 for the next step.
That change merged just a few minutes ago, and
https://governance.openstack.org/tc/reference/base-services.html#current-list-of-base-services
now includes:
A Castellan-compatible key store
OpenStack components may keep secrets in a key store, using
Oslo’s Castellan library as an indirection layer. While
OpenStack provides a Castellan-compatible key store service,
Barbican, other key store backends are also available for
Castellan. Note that in the context of the base services set
Castellan is intended only to provide an interface for services
to interact with a key store, and it should not be treated as a
means to proxy API calls from users to that key store. In order
to reduce unnecessary exposure risks, any user interaction with
secret material should be left to a dedicated API instead
(preferably as provided by Barbican).
Thanks to everyone who helped brainstorming/polishing, and here's
looking forward to a ubiquity of default security features and
functionality in future OpenStack releases!
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180620/17459b18/attachment.sig>
More information about the OpenStack-dev
mailing list