-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 We've also talked about fancier non-keystone-auth like x.509 certificate s.
- - Douglas On 1/18/17 11:52 AM, Clint Byrum wrote: > Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18 > 15:58:19 +0000: >> >> On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco >> <sigmaviru...@gmail.com<mailto:sigmaviru...@gmail.com>> wrote: Hi >> everyone, >> >> I've seen a few nascent projects wanting to implement their own >> secret storage to either replace Barbican or avoid adding a >> dependency on it. When I've pressed the developers on this point, >> the only answer I've received is to make the operator's lives >> simpler. >> >> >> This is my opinion, but I'd like to see Keystone use Barbican for >> storing credentials. It hasn't happened yet because nobody's had >> the time or inclination (what we have works). If this happened, >> we could deprecate the current way of storing credentials and >> require Barbican in a couple of releases. Then Barbican would be >> a required service. The Barbican team might find this to be the >> easiest route towards convincing other projects to also use >> Barbican. >> >> - Brant >> >> Can you provides some details on how you'd see this work? Since >> Barbican typically uses Keystone to authenticate users before >> determining which secrets they have access to, this leads to a >> circular logic. >> >> Barbican's main purpose is a secret manager. It supports a >> variety of RBAC and ACL access control methods to determine if a >> request to read/write/delete a secret should be allowed or not. >> For secret storage, Barbican itself needs a secure backend for >> storage. There is a customizable plugin interface to access >> secure storage. The current implementations can support a >> database with encryption, an HSM via KMIP, and Dogtag. > > Just bootstrap the genesis admin credentials into Barbican and > Keystone the same way we bootstrap them into Keystone now. Once > there's admin creds, they can be validated separate from updating > them, and there's no circle anymore, Just two one-way > dependencies. > > ______________________________________________________________________ ____ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYf+7/AAoJEB7Z2EQgmLX7YFQQAJ9J1j/PflaPU18o0Aej1j0p LLuFRUehR29LKFQJdmmd2GPq+Inuvie9mjRo/Aa89TfF0BpNOJqqma4A7mduHxZQ QLz5lO0Cg5tuDOKdaml21OJVoxV+8EkslYTn9OOwv0ktL/JxhgSp9wSeJpkkgDKP lqzCu2WZvHjb1BlDs8DYwW3cOyzJ9vTL4m3UDHz/Z7E2KrW60t8OieJEcYwZH1Iv r9K4dLE5Qyc552ZB442aR/ypPZS+Wy4/YJwdY6NnS+oI+kkNgW2TVadBkHkRIudy wTGZSSHIv2NTFugwUOCZF2If+0RkOniTbxev8/xNZZdUJI7N/xeYnc2YozvPHEzD AG9ghKcFi6drFk+A1cYxy20NaGFxBqM97bXWad5IAhh7c/3Eg0FAf5gl3hYG/nBV bmEX2LEQiU23yP5ug9Z45KH06rkP7R7i+EG8UpByP88zMREJyPhaaxQFEd5625K7 4Baz7geSHosaK+bTVFdD1FDT8OWxBPbkfJ9hglk2kUoKlhpBLeNPdDNwj4EGz7H3 3tyRlhdaTkETIVIBFOcn6LrZGdgTeveeFVm1XLVPd6+4Ie5akOqrV7we8jFP7bm8 a1X/mzEcdZx74RgLm1+4TAU6N1wgdhdyZoKQCwDrPjPVssI07aNT6BFkSCkAeNdo pbUudKVnJYS9jhO3BsjR =8P6e -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
