Multiple Secret Backend Suppport

Registered by Arun Kant on 2016-01-06

Barbican supports secret storage in HSM device as well as in a database. So far, Barbican has implicit concept of configuring one active plugin for secret store which means all of the new secrets are going to be stored via same plugin (i.e. same storage backend). This approach can limit the usage of barbican in a typical cloud deployment where not all services/applications have similar data sensitivity and hence don't have neccessity of using same mechanism to safeguard its encrpytion keys. Also HSM are expensive devices which have limited storage capacity and performance characteristics in comparison to database.

Proposal is to allow multiple secret store backend available in a single
barbican deployment. As part of this change, client has choice to select
preferred backend at a project level.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Arun Kant
Direction:
Needs approval
Assignee:
Arun Kant
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/multiple-secret-backend,n,z

Addressed by: https://review.openstack.org/341803
    Adding API docs for multiple backend support

Addressed by: https://review.openstack.org/348092
    Adding multiple backend db model and repo support

Addressed by: https://review.openstack.org/354285
    Adding central logic to manage multiple backend feature.

Addressed by: https://review.openstack.org/357544
    Adding central logic to sync secret store data with conf data

Addressed by: https://review.openstack.org/358162
    Adding rest API for secret-stores resource (Part 4)

Addressed by: https://review.openstack.org/360202
    Adding functional tests for multiple backend changes (Part 5)

Addressed by: https://review.openstack.org/370390
    Adding reno release notes for multiple backend feature

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.