Transport layer security is needed in Barbican

Registered by Arvind Tiwari

Currently Barbican API do not offer transport layer security which is extremely needed for secure communication.

Support for 1 Way and 2 WAY ssl is required.

This is needed to support client cert based authentication.

Blueprint information

Arvind Tiwari
Needs approval
Arvind Tiwari
Series goal:
Milestone target:
Completed by
Douglas Mendizábal

Related branches



Arvind, do you mean key wrapping here, or SSL support? If this is related to SSL support, this would be handled via uWSGI or whichever WSGI container is used. If this is key wrapping related, it would be good to clarify that in the text above.

ATiwari: Here are my thoughts about this BP
Currently Barbican can not work a in stand alone mode, it has to integrate with Keystone for user/client/service authentication. Keystone integration is needed for token validation.
Token validation is costly calls and not a needed for every deployments where services are working in non hostile environment or white listing mode.

e.g. I trust Nova/Cinder/XYZservice in my deployment then why to do token validation on every calls if these services are doing any business with Barbican.

My approach to solve this use case (user/client/service authentication) is using SSL certificate. If we have this capability then we are good otherwise we have to think about.

What is your thoughts?

[john-wood-w] Barbican can run in an unauthenticated mode (in fact the quick-start install via bin/ install sets Barbican up this way). In this case uWSGI or your pick WSGI container could be configured for SSL. Does this satisfy your use case above?

Note: it is not a priority for me right now.

john-wood-w: Just adding that Keystone does have a PKI mode of operation that does what I think you are looking for here Arvind. However, it has the drawback that tokens can become large (as they encrypt the service catalog as well) and overrun HTTP buffers.


Work Items

This blueprint contains Public information 
Everyone can see this information.