On Tue, Jun 27, 2017 at 3:33 PM, Jay Pipes <jaypi...@gmail.com> wrote:
> From what I can tell, Keycloak is an Identity provider, not a secret store? > > Yes! I should explain more detailed. CloudBand is a big enterprise system for SDN and OpenStack is a part of it. The default Identity provider of the system is Keycloak. Currently Glare is used there not as a part of OpenStack deployment, but as a standalone service outside of OpenStack. For this reason earlier this year we implemented Keycloak auth middleware for the server and authentication mechanism in the client, i.e. we can use Keycloak instead of Keystone. The decision regarding the secrets was taken, on the grounds that Barbican does not have such ability, and it's tightly attached to Keystone. Moreover it was not difficult to implement the plugin for Glare. As I said - originally this is a private plugin, which was decided to opensource for the OpenStack community. If this is not required, then we can always cancel it. I don't see any problems with this. > -jay > > On 06/27/2017 05:35 AM, Adam Heczko wrote: > >> Barbican already supports multiple secret storage backends [1] and most >> likely adding Keycloak's one [2] should be possible. >> >> [1] https://docs.openstack.org/project-install-guide/key-manager >> /draft/barbican-backend.html >> [2] https://github.com/jpkrohling/secret-store >> >> On Tue, Jun 27, 2017 at 10:42 AM, Thierry Carrez <thie...@openstack.org >> <mailto:thie...@openstack.org>> wrote: >> >> Mikhail Fedosin wrote: >> > Does the above mean you are implementing a share secret >> storage >> > solution or that you are going to use an existing >> solution like >> > Barbican that does that? >> > >> > Sectets is a plugin for Glare we developed for Nokia >> CloudBand >> > platform, and they just decided to opensource it. It >> doesn't >> > use Barbican, technically it is oslo.versionedobjects class. >> > >> > Sorry to hear that you opted not to use Barbican. >> > >> > I think it's only because Keycloak integration is required by >> Nokia's >> > system and Barbican doesn't support it. >> >> Any technical reason why it couldn't be added to Barbican ? Any chance >> Keycloak integration could be added as a Castellan backend ? Secrets >> management is really one of those things that should *not* be >> reinvented >> in every project. It is easier to get wrong than people think, and you >> end up having to do security audits on 10 repositories instead of one. >> >> -- >> Thierry Carrez (ttx) >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev> >> >> >> >> >> -- >> Adam Heczko >> Security Engineer @ Mirantis Inc. >> >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
