Hi everyone, I've seen a few nascent projects wanting to implement their own secret storage to either replace Barbican or avoid adding a dependency on it. When I've pressed the developers on this point, the only answer I've received is to make the operator's lives simpler.
I've been struggling to understand the reasoning behind this and I'm wondering if there are more people around who can help me understand. To help others help me, let me provide my point of view. Barbican's been around for a few years already and has been deployed by several companies which have probably audited it for security purposes. Most of the technology involved in Barbican is proven to be secure and the way the project has strung those pieces together has been analyzed by the OSSP (OpenStack's own security group). It doesn't have a requirement on a hardware TPM which means there's no hardware upgrade cost. Furthermore, several services already provide the option of using Barbican (but won't place a hard requirement on it). It stands to reason (in my opinion) that if new services have a need for secrets and other services already support using Barbican as secret storage, then those new services should be using Barbican. It seems a bit short-sighted of its developers to say that their users are definitely not deploying Barbican when projects like Magnum have soft dependencies on it. Is the problem perhaps that no one is aware of other projects using Barbican? Is the status on the project navigator alarming (it looks like some of this information is potentially out of date)? Has Barbican been deemed too hard to deploy? I really want to understand why so many projects feel the need to implement their own secrets storage. This seems a bit short-sighted and foolish. While these projects are making themselves easier to deploy, if not done properly they are potentially endangering their users and that seems like a bigger problem than deploying Barbican to me. -- Ian Cordasco Glance, Hacking, Bandit, and Craton core reviewer __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
