From 2e93447e665e63bbab04028c52b5b68654e23624 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 6 Jun 2018 01:08:19 +0000 Subject: [PATCH] Castellan-compatible key store is a base service Per the past year of discussions, culminating in the most recent mailing list thread[*], it's apparent that providing a consistent solution for storage of key material and similar secrets by security features of various OpenStack services is in the best interests of the project. By providing this guarantee in the base services set, projects don't need to worry about implementing insecure fallback alternatives or needlessly duplicating functionality to cope with the lack of an already-available solution. [*] http://lists.openstack.org/pipermail/openstack-dev/2018-May/130567.html Change-Id: Ia46211f41726d5671bf28a632d17fc56965b6fcc --- reference/base-services.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/reference/base-services.rst b/reference/base-services.rst index 612f5b763..67723b3b5 100644 --- a/reference/base-services.rst +++ b/reference/base-services.rst @@ -37,6 +37,18 @@ the system which may also benefit from using it. Current list of base services ============================= +**A Castellan-compatible key store** + OpenStack components may keep secrets in a key store, using Oslo's + Castellan library as an indirection layer. While OpenStack provides a + Castellan-compatible key store service, Barbican, other key store backends + are also available for Castellan. Note that in the context of the base + services set Castellan is intended only to provide an interface for + services to interact with a key store, and it should not be treated as a + means to proxy API calls from users to that key store. In order to reduce + unnecessary exposure risks, any user interaction with secret material + should be left to a dedicated API instead (preferably as provided by + Barbican). + **An oslo.db-compatible database** OpenStack components store data in a database, using oslo.db as an indirection layer. While most OpenStack deployments use MySQL, other