Open Stack

Hi Douglas,

Thank you very much for your feedback.

It is ideal to have keystone. However, building a keystone server and
having it integrate with the existing identity service would be extra
overhead. I'm looking for a simpler authentication/authorization method. I
was not sure if authentication in barbican was tied to keystone or if there
were other options. Repose is an interesting option. I'm going to take a
look at it.

Another question - does barbican cache the master key from the HSM?
Sometimes the response for storing/retrieving secrets and keys is very fast
(less than a second) and other times it takes longer.

Thanks,
Naveed

On Wed, Jan 25, 2017 at 12:37 PM, Douglas Mendizábal <
douglas.mendizabal at rackspace.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi Naveed,
>
> It is possible to deploy Barbican without Keystone, but you should
> take care to secure access to the service by other means.
>
> Typically, you would deploy Barbican and configure keystonemiddleware
> to validate keystone tokens provided by the user.  The middleware
> takes care of validating the token with the Keystone service and then
> adds the user information it recieved to the request in the form of
> new request headers. [1]
>
> Barbican will look at the X-Project-Id, X-User-Id and X-Roles headers
> in the request and apply the rules in policy.json [2] to decide
> whether the user sending the request should be allowed to access a
> secret or not.
>
> Whatever non-keystone auth option you choose must add those same
> headers to the request.
>
> For example, I have deployed Barbican using Repose [3] instead of
> keystonemiddleware to perform authN/authZ against my company's
> identity service.  I then configured Repose to add the required
> headers after validating the identity of the user.
>
> Since barbican is only looking at the request after Repose processed
> it, it made no difference that I was not using keystonemiddleware.
>
> If you really don't want any kind of auth in front of Barbican (not
> sure why you'd do this other than to kick the tires on the API) then
> you can look at the no-auth setup in [4].
>
> I hope that helps,
> - - Douglas
>
>
> [1]
> http://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddl
> eware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the
> - -openstack-service
> [2]
> https://github.com/openstack/barbican/blob/master/etc/barbican/policy.js
> on
> [3] http://www.openrepose.org/
> [4] http://docs.openstack.org/developer/barbican/setup/noauth.html
>
> On 1/25/17 11:09 AM, Naveed A wrote:
> > Hello,
> >
> > Has anyone tried implementing barbican in standalone mode so that
> > it is connected to HSM or KMIP but not using keystone? Would such a
> > setup work?
> >
> >
> >
> > _______________________________________________ Mailing list:
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post
> > to     : openstack at lists.openstack.org Unsubscribe :
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - https://gpgtools.org
>
> iQIcBAEBCgAGBQJYiQyBAAoJEB7Z2EQgmLX7keEQAJBz8QEPrngmYyGGJZmRsDGl
> RvufE1RnUZpyqWLNYUlip92QYJz5hlR24jSwcXYhKdn/p0TwYz3bw2Owu6k6XTzB
> vEvyswad+qEU7IXP0/tMtjcWRiPLXvuZrniqhYuZ7Ivkv8WyMFQC3oddqUqkJXQl
> YO0wjaDf4r3KYBUA8/bfEal3AdJ5OQjTchaQ6AbTEhqrRoOhKMAhh42vHNOzphs9
> lhLTxqBfKW71uiK7NY9DOaJvTBD84TZmcD5/DQ64wvT2ELmrazCLvvtZ+AG/sIdd
> 9az4yH1LBfW9fwaHYuJZzJlUp8zgDdm3ZikkRwKLLjUSZlshXlfWXpAMOMuAx/OM
> qejjKgxpoIO5HsJg02MKVOEP9WXoeC8jlfMqLlb9eDd3pFXNRHM16GVjiMegVt6j
> hJJIRGm2AzWArsJRYchOqSE5ghsaK8jwzBPuZv/H5dCPTFuKthya6ir99j6BpSVL
> CGv/XCunAq4LZKXtv2U4Txps5+QvFZ9nYkSOmLFn/0smspOqWporherG9Kdfy4dQ
> UNQnlJ4O2HaAt4M1RPXFyLcweqYRfAKcKyHJ1L/nQBZghCWwtKnvhsDft+4TgdEG
> rk/PDML9Ru7ylnGqgYzIkUy/l1rXUeWAEsUs/GjPdVvjIuoAanuTaefP9TBjccjT
> 9uJrpoasZJBrStSRIkMN
> =cfGX
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170125/960c66b6/attachment.html>