Remove Keystone Dependency from Castellan

Registered by Fernando Diaz on 2015-11-03

Problem Description
===================

Currently in Castellan in order to obtain access to Barbican via the Barbican
Key manager a `context` containing a valid Keystone `auth-token` must be
provided.

The Swift Keymaster under development[1] will access Castellan in order to
obtain Secrets from Barbican, but would like to have a Keystone service user
with access to all keys and in the future be able to have independent user
access. For a service user, a `context` containing a Keystone `username`
and `password` will be used. Castellan must support this.

Proposed Change
===============

The proposed change is to allow Castellan to be able to check the context for
the Barbican Key Manager and be able to determine what type of Keystone
authentication function to use.

There will be a new type of hierarchal context object which will be passed from
the user/service to Castellan. It will be used instead of oslo.context.

The hierarchal context will consist of a `Credential` object as the parent
class and the children will be:

1.) `TokenCredential`, for authenticating with a token.

2.) `PasswordCredential`, for authenticating with a username and password.

3.) `CertificateCredential`, for authenticating with a certificate.

The context is first checked to see what type of object it is, after that we
determine which Keystone auth-type to use.

Blueprint information

Status:
Complete
Approver:
Nathan Reller
Priority:
Medium
Drafter:
Fernando Diaz
Direction:
Needs approval
Assignee:
Fernando Diaz
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Fernando Diaz on 2016-01-27
Completed by
Fernando Diaz on 2016-03-03

Related branches

Sprints

Whiteboard

Spec: https://review.openstack.org/#/c/241068/

Gerrit topic: https://review.openstack.org/#q,topic:270602,n,z

Addressed by: https://review.openstack.org/270602
    Introduce Castellan Credential Objects

Addressed by: https://review.openstack.org/273863
    WIP: Introduce Castellan Credential Factory

Addressed by: https://review.openstack.org/273872
    Allow Barbican Key Manager to accept different auth credentials

Gerrit topic: https://review.openstack.org/#q,topic:bp/remove-keystone-dependency,n,z

Addressed by: https://review.openstack.org/274183
    Add Credential Authentication Usage Documentation

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.