Hi Douglas, Thank you very much for your feedback.
It is ideal to have keystone. However, building a keystone server and having it integrate with the existing identity service would be extra overhead. I'm looking for a simpler authentication/authorization method. I was not sure if authentication in barbican was tied to keystone or if there were other options. Repose is an interesting option. I'm going to take a look at it. Another question - does barbican cache the master key from the HSM? Sometimes the response for storing/retrieving secrets and keys is very fast (less than a second) and other times it takes longer. Thanks, Naveed On Wed, Jan 25, 2017 at 12:37 PM, Douglas Mendizábal < [email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi Naveed, > > It is possible to deploy Barbican without Keystone, but you should > take care to secure access to the service by other means. > > Typically, you would deploy Barbican and configure keystonemiddleware > to validate keystone tokens provided by the user. The middleware > takes care of validating the token with the Keystone service and then > adds the user information it recieved to the request in the form of > new request headers. [1] > > Barbican will look at the X-Project-Id, X-User-Id and X-Roles headers > in the request and apply the rules in policy.json [2] to decide > whether the user sending the request should be allowed to access a > secret or not. > > Whatever non-keystone auth option you choose must add those same > headers to the request. > > For example, I have deployed Barbican using Repose [3] instead of > keystonemiddleware to perform authN/authZ against my company's > identity service. I then configured Repose to add the required > headers after validating the identity of the user. > > Since barbican is only looking at the request after Repose processed > it, it made no difference that I was not using keystonemiddleware. > > If you really don't want any kind of auth in front of Barbican (not > sure why you'd do this other than to kick the tires on the API) then > you can look at the no-auth setup in [4]. > > I hope that helps, > - - Douglas > > > [1] > http://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddl > eware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the > - -openstack-service > [2] > https://github.com/openstack/barbican/blob/master/etc/barbican/policy.js > on > [3] http://www.openrepose.org/ > [4] http://docs.openstack.org/developer/barbican/setup/noauth.html > > On 1/25/17 11:09 AM, Naveed A wrote: > > Hello, > > > > Has anyone tried implementing barbican in standalone mode so that > > it is connected to HSM or KMIP but not using keystone? Would such a > > setup work? > > > > > > > > _______________________________________________ Mailing list: > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post > > to : [email protected] Unsubscribe : > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - https://gpgtools.org > > iQIcBAEBCgAGBQJYiQyBAAoJEB7Z2EQgmLX7keEQAJBz8QEPrngmYyGGJZmRsDGl > RvufE1RnUZpyqWLNYUlip92QYJz5hlR24jSwcXYhKdn/p0TwYz3bw2Owu6k6XTzB > vEvyswad+qEU7IXP0/tMtjcWRiPLXvuZrniqhYuZ7Ivkv8WyMFQC3oddqUqkJXQl > YO0wjaDf4r3KYBUA8/bfEal3AdJ5OQjTchaQ6AbTEhqrRoOhKMAhh42vHNOzphs9 > lhLTxqBfKW71uiK7NY9DOaJvTBD84TZmcD5/DQ64wvT2ELmrazCLvvtZ+AG/sIdd > 9az4yH1LBfW9fwaHYuJZzJlUp8zgDdm3ZikkRwKLLjUSZlshXlfWXpAMOMuAx/OM > qejjKgxpoIO5HsJg02MKVOEP9WXoeC8jlfMqLlb9eDd3pFXNRHM16GVjiMegVt6j > hJJIRGm2AzWArsJRYchOqSE5ghsaK8jwzBPuZv/H5dCPTFuKthya6ir99j6BpSVL > CGv/XCunAq4LZKXtv2U4Txps5+QvFZ9nYkSOmLFn/0smspOqWporherG9Kdfy4dQ > UNQnlJ4O2HaAt4M1RPXFyLcweqYRfAKcKyHJ1L/nQBZghCWwtKnvhsDft+4TgdEG > rk/PDML9Ru7ylnGqgYzIkUy/l1rXUeWAEsUs/GjPdVvjIuoAanuTaefP9TBjccjT > 9uJrpoasZJBrStSRIkMN > =cfGX > -----END PGP SIGNATURE----- > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
