Excerpts from Dave McCowan (dmccowan)'s message of 2017-12-12 19:56:49 +0000: > > On 12/12/17, 10:38 AM, "Doug Hellmann" <d...@doughellmann.com> wrote: > > > > >> On Dec 12, 2017, at 9:42 AM, Paul Bourke <paul.bou...@oracle.com> wrote: > >> > >> From my understanding it would be a cleanup operation - which to be > >>honest, would be very much welcomed. I recently did a little work with > >>Castellan to integrate it with Murano and found the auth code to be very > >>messy, and flat out broken in some cases. If it's possible to let the > >>barbican client take care of this that sounds good to me. > >> > >> > Which mode is used the most in the services that consume castellan > >> > today? > >> > >> Afaik Barbican is the only backend that currently exists in Castellan > >>[0]. Looking again it seems some support has been added for vault which > >>is great, but I reckon Barbican would still be the primary use. > >> > >> I haven't been hugely active in Castellan but if the team would like > >>some more input on this or reviews please do ping me, I'd be glad to > >>help. > > > >What I mean is, in the services consuming Castellan, how do they expect > >it to authenticate to Barbican? As the current user or as a hard-coded > >fixed user controlled by the deployer? I would think most services would > >need to connect as the ³current² user talking to them so they can access > >that user¹s secrets from Barbican. Removing the keystoneauth stuff from > >the driver would therefore break all of those applications. > > > >Doug > > We're a mix right now. Nova and Cinder pass through the a user's token to > retrieve the user's key for encrypted volumes. Octavia uses its service > account to retrieve certificates for load balancing TLS connections. > Users must grant Octavia read permissions in advance.
OK, so it sounds like we do need to continue to support both approaches to authentication. > Keystone is currently the only authentication option for Barbican. I > believe the proposal to decouple keystoneauth is advance work for adding > new auth methods and backends as future work. Vault and Custodia are two > such backends in progress. They don't support keystoneauth and likely > won't, so we'll need alternatives. Each driver manages its own authentication, right? Why do we need to remove the keystoneauth stuff in the barbican driver in order to enable other drivers? > > Reviews and contributions to Castellan and Barbican have been light over > the last cycle, while deployment interest and feature requests have been > high. Any help will be appreciated! > > --Dave > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
