Remove Keystone Dependency from Castellan
Problem Description
===================
Currently in Castellan in order to obtain access to Barbican via the Barbican
Key manager a `context` containing a valid Keystone `auth-token` must be
provided.
The Swift Keymaster under development[1] will access Castellan in order to
obtain Secrets from Barbican, but would like to have a Keystone service user
with access to all keys and in the future be able to have independent user
access. For a service user, a `context` containing a Keystone `username`
and `password` will be used. Castellan must support this.
Proposed Change
===============
The proposed change is to allow Castellan to be able to check the context for
the Barbican Key Manager and be able to determine what type of Keystone
authentication function to use.
There will be a new type of hierarchal context object which will be passed from
the user/service to Castellan. It will be used instead of oslo.context.
The hierarchal context will consist of a `Credential` object as the parent
class and the children will be:
1.) `TokenCredential`, for authenticating with a token.
2.) `PasswordCreden
3.) `CertificateCre
The context is first checked to see what type of object it is, after that we
determine which Keystone auth-type to use.
Blueprint information
- Status:
- Complete
- Approver:
- Nathan Reller
- Priority:
- Medium
- Drafter:
- Fernando Diaz
- Direction:
- Needs approval
- Assignee:
- Fernando Diaz
- Definition:
- Approved
- Series goal:
- None
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Fernando Diaz
- Completed by
- Fernando Diaz
Related branches
Related bugs
Sprints
Whiteboard
Spec: https:/
Gerrit topic: https:/
Addressed by: https:/
Introduce Castellan Credential Objects
Addressed by: https:/
WIP: Introduce Castellan Credential Factory
Addressed by: https:/
Allow Barbican Key Manager to accept different auth credentials
Gerrit topic: https:/
Addressed by: https:/
Add Credential Authentication Usage Documentation
