Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican
Another option: If you want to give User-A read access to all Project-B secrets, you could assign User-A the role of "observer" in Project-B. This would use the default RBAC policy, not give every user access to the secrets, and be more convenient than adding each user to the ACL of each secret. Tacker would use the Operator's token to retrieve secrets, and not shared credentials from the configuration file. On 3/31/17, 2:58 AM, "yanxingan"wrote: > >Thanks Kaitlin Farr. > >In tacker vim usecase, an operator [user A] may create a vim with an >account[user B] to access the NFVI. I want to store user B's password in >barbican. > >There are two methods to store secret: >1. All user A's vim secrets are stored in one common reserved >project/user as mentioned. >2. For each user A, the vim secret is stored in it's own domain >respectively. > >The problem of 2 is: >1) Vim can not be shared between different projects with default >barbican RBAC policy. >2) It's not secure to open the access to all users via RBAC policy. In >addition, barbican may be invoked by other projects, e.g. nova, neutron >lb. >3) It's not convenient to add every user to the ACL of A's secret. > >Is barbican ACL suport a "shared" similar attribute to a secret? > > >On 2017/3/31 3:05, Farr, Kaitlin M. wrote: >> >>>As i known, the secrets are saved in a user's domain, and other >>>project/user can not retrieve the secrets. >>> But i have a situation that many users need retrieve a same secret. >>> >>> After looking into the castellan usage, I see the method that >>>saving the credentials in configuration, >>> then all operators use this pre-created user to create/retrieve >>>secrets. >>> I want to know, is this way typical and easy-accepted? Does other >>>projects face this issue? >> >> >> By default, the secrets in Barbican are available at the project-level >> [1]. I am not sure specifically which project or feature you are >> referring to that all users need to access to one secret, but I would >> suggest that editing the Barbican RBAC policy or ACL is a more elegant >> solution than storing username/pw in the conf file. You can find more >> details about RBAC at [2] and a sample policy.json file at [3]. >> >> Kaitlin Farr >> >> 1. >>https://developer.openstack.org/api-guide/key-manager/acls.html#default-a >>cl >> 2. >>https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_co >>ntrol.html >> 3. >>https://github.com/openstack/barbican/blob/master/etc/barbican/policy.jso >>n >> >> >> >>_ >>_ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican
Thanks Kaitlin Farr. In tacker vim usecase, an operator [user A] may create a vim with an account[user B] to access the NFVI. I want to store user B's password in barbican. There are two methods to store secret: 1. All user A's vim secrets are stored in one common reserved project/user as mentioned. 2. For each user A, the vim secret is stored in it's own domain respectively. The problem of 2 is: 1) Vim can not be shared between different projects with default barbican RBAC policy. 2) It's not secure to open the access to all users via RBAC policy. In addition, barbican may be invoked by other projects, e.g. nova, neutron lb. 3) It's not convenient to add every user to the ACL of A's secret. Is barbican ACL suport a "shared" similar attribute to a secret? On 2017/3/31 3:05, Farr, Kaitlin M. wrote: As i known, the secrets are saved in a user's domain, and other project/user can not retrieve the secrets. But i have a situation that many users need retrieve a same secret. After looking into the castellan usage, I see the method that saving the credentials in configuration, then all operators use this pre-created user to create/retrieve secrets. I want to know, is this way typical and easy-accepted? Does other projects face this issue? By default, the secrets in Barbican are available at the project-level [1]. I am not sure specifically which project or feature you are referring to that all users need to access to one secret, but I would suggest that editing the Barbican RBAC policy or ACL is a more elegant solution than storing username/pw in the conf file. You can find more details about RBAC at [2] and a sample policy.json file at [3]. Kaitlin Farr 1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl 2. https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html 3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican
> As i known, the secrets are saved in a user's domain, and other > project/user can not retrieve the secrets. > But i have a situation that many users need retrieve a same secret. > > After looking into the castellan usage, I see the method that saving the >credentials in configuration, > then all operators use this pre-created user to create/retrieve secrets. > I want to know, is this way typical and easy-accepted? Does other projects >face this issue? By default, the secrets in Barbican are available at the project-level [1]. I am not sure specifically which project or feature you are referring to that all users need to access to one secret, but I would suggest that editing the Barbican RBAC policy or ACL is a more elegant solution than storing username/pw in the conf file. You can find more details about RBAC at [2] and a sample policy.json file at [3]. Kaitlin Farr 1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl 2. https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html 3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [barbican][castellan] How to share secrets in barbican
Hello, folks: As i known, the secrets are saved in a user's domain, and other project/user can not retrieve the secrets. But i have a situation that many users need retrieve a same secret. After looking into the castellan usage, I see the method that saving the credentials in configuration, then all operators use this pre-created user to create/retrieve secrets. I want to know, is this way typical and easy-accepted? Does other projects face this issue? Thanks. Yan Xing'an__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev