Update Crypto Plugin Interface

Registered by Douglas Mendizábal

As discussed during the Keystone hackathon in January, the plugin interface for Barbican needs to be modified to support a DogTag plugin. This change requires the "create" method to be removed from the plugin abstract base class. The method will be replaced with a "generate" method with a return signature that matches the "encrypt" method.

The plugin manager will change so that "generate_data_encryption_key" only calls the new "generate" method in the plugin instead of calling both "create" and "encrypt".

This allows a plugin to handle secret creation and encryption in one step. From Barbican's point of view, plugin encryption and plugin generation both produce an encrypted blob that will later be given back to the plugin for decryption. Barbican does not require that the encrypted blob actually contain the secret. The only requirement is that the plugin's decrypt method is able to produce the secret when given the encrypted blob.

For the DogTag plugin, this "encrypted blob" would be the dogtag URI to the secret. Barbican doesn't care that the blob isn't really a secret. All that matters is that the DogTag plugin is able to produce the secret when the URI is given to the decrypt method.

barbican.common.resources.create_secret() needs to be updated so that the Secret UUID is available for the Plugin during both encrypt() and generate(). This may require persisting the
Secret object to the DB before calling the plugin and adding some try/except logic to cleanup the Secret object in the event of a plugin exception.

Blueprint information

Douglas Mendizábal
Douglas Mendizábal
Ade Lee
Series goal:
Accepted for juno
Milestone target:
milestone icon juno-2
Started by
Douglas Mendizábal
Completed by
Douglas Mendizábal

Related branches



Gerrit topic: https://review.openstack.org/#q,topic:bp/update-crypto-plugin-interface,n,z

Addressed by: https://review.openstack.org/84329
    Update crypto plugin interface to support Dogtag

Addressed by: https://review.openstack.org/85137
    Add Dogtag crypto plugin.


Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.


No subscribers.