Transport layer security is needed in Barbican
Currently Barbican API do not offer transport layer security which is extremely needed for secure communication.
Support for 1 Way and 2 WAY ssl is required.
This is needed to support client cert based authentication.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Arvind Tiwari
- Direction:
- Needs approval
- Assignee:
- Arvind Tiwari
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Douglas Mendizábal
Related branches
Related bugs
Sprints
Whiteboard
Arvind, do you mean key wrapping here, or SSL support? If this is related to SSL support, this would be handled via uWSGI or whichever WSGI container is used. If this is key wrapping related, it would be good to clarify that in the text above.
ATiwari: Here are my thoughts about this BP
Currently Barbican can not work a in stand alone mode, it has to integrate with Keystone for user/client/service authentication. Keystone integration is needed for token validation.
Token validation is costly calls and not a needed for every deployments where services are working in non hostile environment or white listing mode.
e.g. I trust Nova/Cinder/
My approach to solve this use case (user/client/
What is your thoughts?
[john-wood-w] Barbican can run in an unauthenticated mode (in fact the quick-start install via bin/barbican.sh install sets Barbican up this way). In this case uWSGI or your pick WSGI container could be configured for SSL. Does this satisfy your use case above?
Note: it is not a priority for me right now.
john-wood-w: Just adding that Keystone does have a PKI mode of operation that does what I think you are looking for here Arvind. However, it has the drawback that tokens can become large (as they encrypt the service catalog as well) and overrun HTTP buffers.