Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican

[Dave McCowan (dmccowan)]

Another option:

If you want to give User-A read access to all Project-B secrets, you could
assign User-A the role of "observer" in Project-B.

This would use the default RBAC policy, not give every user access to the
secrets, and be more convenient than adding each user to the ACL of each
secret.

Tacker would use the Operator's token to retrieve secrets, and not shared
credentials from the configuration file.

On 3/31/17, 2:58 AM, "yanxingan"  wrote:

>
>Thanks Kaitlin Farr.
>
>In tacker vim usecase, an operator [user A] may create a vim with an
>account[user B] to access the NFVI. I want to store user B's password in
>barbican.
>
>There are two methods to store secret:
>1. All user A's vim secrets are stored in one common reserved
>project/user as mentioned.
>2. For each user A, the vim secret is stored in it's own domain
>respectively.
>
>The problem of 2 is:
>1) Vim can not be shared between different projects with default
>barbican RBAC policy.
>2) It's not secure to open the access to all users via RBAC policy. In
>addition, barbican may be invoked by other projects, e.g. nova, neutron
>lb.
>3) It's not convenient to add every user to the ACL of A's secret.
>
>Is barbican ACL suport a "shared" similar attribute to a secret?
>
>
>On 2017/3/31 3:05, Farr, Kaitlin M. wrote:
>>
>>>As i known, the secrets are saved in a user's domain, and other
>>>project/user can not retrieve the secrets.
>>> But i have a situation that many users need retrieve a same secret.
>>>
>>> After looking into the castellan usage,  I see the method that
>>>saving the credentials in configuration,
>>>  then all operators use this pre-created user to create/retrieve
>>>secrets.
>>>  I want to know, is this way typical and easy-accepted? Does other
>>>projects face this issue?
>>
>>
>> ​By default, the secrets in Barbican are available at the project-level
>> [1]. I am not sure specifically which project or feature you are
>> referring to that all users need to access to one secret, but I would
>> suggest that editing the Barbican RBAC policy or ACL is a more elegant
>> solution than storing username/pw in the conf file. You can find more
>> details about RBAC at [2] and a sample policy.json file at [3].
>>
>> Kaitlin Farr
>>
>> 1. 
>>https://developer.openstack.org/api-guide/key-manager/acls.html#default-a
>>cl
>> 2. 
>>https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_co
>>ntrol.html
>> 3. 
>>https://github.com/openstack/barbican/blob/master/etc/barbican/policy.jso
>>n
>>
>>
>> 
>>_
>>_
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: 
>>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican

[yanxingan]

Thanks Kaitlin Farr.

In tacker vim usecase, an operator [user A] may create a vim with an 
account[user B] to access the NFVI. I want to store user B's password in 
barbican.


There are two methods to store secret:
1. All user A's vim secrets are stored in one common reserved 
project/user as mentioned.
2. For each user A, the vim secret is stored in it's own domain 
respectively.


The problem of 2 is:
1) Vim can not be shared between different projects with default 
barbican RBAC policy.
2) It's not secure to open the access to all users via RBAC policy. In 
addition, barbican may be invoked by other projects, e.g. nova, neutron lb.

3) It's not convenient to add every user to the ACL of A's secret.

Is barbican ACL suport a "shared" similar attribute to a secret?


On 2017/3/31 3:05, Farr, Kaitlin M. wrote:



   As i known, the secrets are saved in a user's domain, and other project/user 
can not retrieve the secrets.
But i have a situation that many users need retrieve a same secret.

After looking into the castellan usage,  I see the method that saving the 
credentials in configuration,
 then all operators use this pre-created user to create/retrieve secrets.
 I want to know, is this way typical and easy-accepted? Does other projects 
face this issue?



​By default, the secrets in Barbican are available at the project-level
[1]. I am not sure specifically which project or feature you are
referring to that all users need to access to one secret, but I would
suggest that editing the Barbican RBAC policy or ACL is a more elegant
solution than storing username/pw in the conf file. You can find more
details about RBAC at [2] and a sample policy.json file at [3].

Kaitlin Farr

1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl
2. 
https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html
3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican

[Farr, Kaitlin M.]

>    As i known, the secrets are saved in a user's domain, and other 
> project/user can not retrieve the secrets.
>    But i have a situation that many users need retrieve a same secret.
>
>    After looking into the castellan usage,  I see the method that saving the 
>credentials in configuration,
> then all operators use this pre-created user to create/retrieve secrets. 
> I want to know, is this way typical and easy-accepted? Does other projects 
>face this issue?
  

​By default, the secrets in Barbican are available at the project-level
[1]. I am not sure specifically which project or feature you are
referring to that all users need to access to one secret, but I would
suggest that editing the Barbican RBAC policy or ACL is a more elegant
solution than storing username/pw in the conf file. You can find more
details about RBAC at [2] and a sample policy.json file at [3].

Kaitlin Farr

1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl
2. 
https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html
3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json

   
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [barbican][castellan] How to share secrets in barbican

[yanxin...@cmss.chinamobile.com]

 Hello, folks:
As i known, the secrets are saved in a user's domain, and other 
project/user can not retrieve the secrets.
   But i have a situation that many users need retrieve a same secret.

   After looking into the castellan usage,  I see the method that saving the 
credentials in configuration,
then all operators use this pre-created user to create/retrieve secrets. 
I want to know, is this way typical and easy-accepted? Does other projects face 
this issue?

Thanks.
Yan Xing'an__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev