Change GET decrypted secrets to unique URI

Registered by John Wood on 2014-10-02

Currently retrieving the metadata and actual decrypted data for a secret stored in Barbican uses the same URI, with only the Accept header used to determine which response to return. This complicates deployments with RBAC systems in front of Barbican (such as Repose - http://openrepose.org/) or as middleware (such as EOM - https://github.com/racker/eom). It also requires adding logic like this to the Barbican app when it is controlling RBAC: https://github.com/openstack/barbican/blob/master/barbican/api/controllers/__init__.py#L53

This blueprint proposes using a unique URI to access decrypted secrets, such as this: <host>/v1/secrets/<secret-UUID>/payload

Blueprint information

Status:
Complete
Approver:
Douglas Mendizábal
Priority:
Medium
Drafter:
John Wood
Direction:
Approved
Assignee:
Juan Antonio Osorio Robles
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 2015.1.0
Started by
John Wood on 2015-03-02
Completed by
Douglas Mendizábal on 2015-03-04

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/api-change-get-secrets-decrypted,n,z

Addressed by: https://review.openstack.org/157068
    Enable secret decrypt through 'payload' resource

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.