Barbican

Change GET decrypted secrets to unique URI

Registered by John Wood

Currently retrieving the metadata and actual decrypted data for a secret stored in Barbican uses the same URI, with only the Accept header used to determine which response to return. This complicates deployments with RBAC systems in front of Barbican (such as Repose - http://openrepose.org/) or as middleware (such as EOM - https://github.com/racker/eom). It also requires adding logic like this to the Barbican app when it is controlling RBAC: https://github.com/openstack/barbican/blob/master/barbican/api/controllers/__init__.py#L53

This blueprint proposes using a unique URI to access decrypted secrets, such as this: <host>/v1/secrets/<secret-UUID>/payload

Blueprint information

Status:
Complete
Approver:
Douglas Mendizábal
Priority:
Medium
Drafter:
John Wood
Direction:
Approved
Assignee:
Juan Antonio Osorio Robles
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 2015.1.0
Started by
John Wood
Completed by
Douglas Mendizábal

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/api-change-get-secrets-decrypted,n,z

Addressed by: https://review.openstack.org/157068
    Enable secret decrypt through 'payload' resource

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.