Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-2249

[Dev] Add secret consumers support to castellan - barbican implementation

XMLWordPrintable

    • OSPPlanningCycle3

      As a developer of an openstack service, I want to be able to use castellan to add or delete a consumer to a secret. I would expect the list of consumers for a secret to be returned as part of the secret's metadata.

      Summary

      Castellan is used by the other services to interact with a key manager (barbican or vault). We need to add consumers to castellan to take advantage of the the consumers API that has been added to barbican, so that features like image encryption can move forward.

      As castellan is an interface with two different implementations, we will need to implement consumers in both the barbican and vault implementations. This particular story is concerned with making changes to the key manager interface, and with the barbican implementation. The vault implementation is broken out into a separate story.

      Definition of Ready

      There are already patches that are in progress for the implementation of secret consumers in the barbicanclient. This client is used by the barbican castellan implementation, so a release of barbicanclient with the new client code is needed to move forward with the changes in castellan. (https://review.opendev.org/q/topic:secret-consumers)

      There is also already a set of patches for adding secret consumers to castellan.
      (https://review.opendev.org/q/topic:add-consumers)

      These patches:

      • modify the key manager interface to add calls to add/delete consumers
      • add consumer data to the secret metadata
      • update the barbican key_manager implementation to use calls in barbicanclient
      • add unit and functional tests for the barbican client

      In these patches, the vault client is updated to return non-implemented for now, pending the completion of the vault implementation story.

      Dependency: Release of barbicanclient with consumer code

      Acceptance Criteria

      • All above patches merged
      • Functional and unit tests merged and pass (tests add/remove/list consumers)
      • Castellan documentation documented
      • Castellan released
      • Other development teams (in particular cinder, nova and glance) notified so they can start their work.

      Definition of Done

      Acceptance criteria completed.

        1.
        		 Work on python-barbicanclient patch 865519 Sub-task Closed Undefined Unassigned

            rh-ee-mharley Mauricio Harley
            ggrasza@redhat.com Grzegorz Grasza
            rhos-dfg-security
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: