-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Naveed,
It is possible to deploy Barbican without Keystone, but you should take care to secure access to the service by other means. Typically, you would deploy Barbican and configure keystonemiddleware to validate keystone tokens provided by the user. The middleware takes care of validating the token with the Keystone service and then adds the user information it recieved to the request in the form of new request headers. [1] Barbican will look at the X-Project-Id, X-User-Id and X-Roles headers in the request and apply the rules in policy.json [2] to decide whether the user sending the request should be allowed to access a secret or not. Whatever non-keystone auth option you choose must add those same headers to the request. For example, I have deployed Barbican using Repose [3] instead of keystonemiddleware to perform authN/authZ against my company's identity service. I then configured Repose to add the required headers after validating the identity of the user. Since barbican is only looking at the request after Repose processed it, it made no difference that I was not using keystonemiddleware. If you really don't want any kind of auth in front of Barbican (not sure why you'd do this other than to kick the tires on the API) then you can look at the no-auth setup in [4]. I hope that helps, - - Douglas [1] http://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddl eware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the - -openstack-service [2] https://github.com/openstack/barbican/blob/master/etc/barbican/policy.js on [3] http://www.openrepose.org/ [4] http://docs.openstack.org/developer/barbican/setup/noauth.html On 1/25/17 11:09 AM, Naveed A wrote: > Hello, > > Has anyone tried implementing barbican in standalone mode so that > it is connected to HSM or KMIP but not using keystone? Would such a > setup work? > > > > _______________________________________________ Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post > to : openstack@lists.openstack.org Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYiQyBAAoJEB7Z2EQgmLX7keEQAJBz8QEPrngmYyGGJZmRsDGl RvufE1RnUZpyqWLNYUlip92QYJz5hlR24jSwcXYhKdn/p0TwYz3bw2Owu6k6XTzB vEvyswad+qEU7IXP0/tMtjcWRiPLXvuZrniqhYuZ7Ivkv8WyMFQC3oddqUqkJXQl YO0wjaDf4r3KYBUA8/bfEal3AdJ5OQjTchaQ6AbTEhqrRoOhKMAhh42vHNOzphs9 lhLTxqBfKW71uiK7NY9DOaJvTBD84TZmcD5/DQ64wvT2ELmrazCLvvtZ+AG/sIdd 9az4yH1LBfW9fwaHYuJZzJlUp8zgDdm3ZikkRwKLLjUSZlshXlfWXpAMOMuAx/OM qejjKgxpoIO5HsJg02MKVOEP9WXoeC8jlfMqLlb9eDd3pFXNRHM16GVjiMegVt6j hJJIRGm2AzWArsJRYchOqSE5ghsaK8jwzBPuZv/H5dCPTFuKthya6ir99j6BpSVL CGv/XCunAq4LZKXtv2U4Txps5+QvFZ9nYkSOmLFn/0smspOqWporherG9Kdfy4dQ UNQnlJ4O2HaAt4M1RPXFyLcweqYRfAKcKyHJ1L/nQBZghCWwtKnvhsDft+4TgdEG rk/PDML9Ru7ylnGqgYzIkUy/l1rXUeWAEsUs/GjPdVvjIuoAanuTaefP9TBjccjT 9uJrpoasZJBrStSRIkMN =cfGX -----END PGP SIGNATURE----- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack