Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

Actually now that I think about it, another problem is that (at least in our case) Keystone is really a cluster wide service present across regions, so if it was to use Barbican (or Vault for that matter) then the secret store service would too need to be cluster wide and across all regions. Our

Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

Oh I was literally just thinking about the 'credential' type key value items we store in the Keystone DB. Rather than storing them in the Keystone db and worrying about encryption (and encryption keys) in Keystone around what is otherwise a plaintext secret, just offload that to a service specific

Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

This topic has surfaced intermittently ever since keystone implemented fernet tokens in Kilo. An initial idea was written down shortly afterwords [0], then we targeted it to Ocata [1], and removed from the backlog around the Pike timeframe [2]. The commit message of [2] includes meeting links. The

Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

FWIW, instead of barbican, castellan could be used as a key manager. On 08/30/2018 12:23 PM, Adrian Turjak wrote: > > > On 30/08/18 6:29 AM, Lance Bragstad wrote: >> >> Is that what is being described here ?  >> >>

Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

On 30/08/18 6:29 AM, Lance Bragstad wrote: > > Is that what is being described here ?  > > https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html > > > This is a separate mechanism for storing secrets, not necessarily > passwords (although I agree the term

Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

> > > > > *From: *Juan Antonio Osorio Robles > *Reply-To: *"openstack-dev@lists.openstack.org" < > openstack-dev@lists.openstack.org> > *Date: *Wednesday, August 29, 2018 at 2:00 PM > *To: *"openstack-dev@lists.openstack.org" < > opens

Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

-To: "openstack-dev@lists.openstack.org" Date: Wednesday, August 29, 2018 at 2:00 PM To: "openstack-dev@lists.openstack.org" Subject: Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ? This is not the case. Barbican requires users and systems that use

Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ?

This is not the case. Barbican requires users and systems that use it to use keystone for authentication. So keystone can't use Barbican for this. Chicken and egg problem. On 08/29/2018 08:08 PM, Waines, Greg wrote: > > My understanding is that Keystone can be configured to use Barbican to >