From what I can tell, Keycloak is an Identity provider, not a secret store?
-jay
On 06/27/2017 05:35 AM, Adam Heczko wrote:
Barbican already supports multiple secret storage backends [1] and most
likely adding Keycloak's one [2] should be possible.
[1]
https://docs.openstack.org/project-install-guide/key-manager/draft/barbican-backend.html
[2] https://github.com/jpkrohling/secret-store
On Tue, Jun 27, 2017 at 10:42 AM, Thierry Carrez <thie...@openstack.org
<mailto:thie...@openstack.org>> wrote:
Mikhail Fedosin wrote:
> Does the above mean you are implementing a share secret
storage
> solution or that you are going to use an existing solution
like
> Barbican that does that?
>
> Sectets is a plugin for Glare we developed for Nokia CloudBand
> platform, and they just decided to opensource it. It doesn't
> use Barbican, technically it is oslo.versionedobjects class.
>
> Sorry to hear that you opted not to use Barbican.
>
> I think it's only because Keycloak integration is required by Nokia's
> system and Barbican doesn't support it.
Any technical reason why it couldn't be added to Barbican ? Any chance
Keycloak integration could be added as a Castellan backend ? Secrets
management is really one of those things that should *not* be reinvented
in every project. It is easier to get wrong than people think, and you
end up having to do security audits on 10 repositories instead of one.
--
Thierry Carrez (ttx)
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
--
Adam Heczko
Security Engineer @ Mirantis Inc.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev