Adopting castellan

Registered by ChangBo Guo(gcb) on 2017-03-28

Proposed library mission/motivation: Castellan's goal is to provide a
generic key manager interface that projects can use for their key
manager needs, e.g., storing certificates or generating keys for
encrypting data. The interface passes the commands and Keystone
credentials on to the configured back end. Castellan is not a service
and does not maintain state. The library can grow to have multiple
back ends, as long as the back end can authenticate Keystone
credentials. The only two back end options now in Castellan are
Barbican and a limited mock key manager useful only for unit tests.
If someone wrote a Keystone auth plugin for Vault, we could also have a
Vault back end for Castellan.

The benefit of using Castellan versus using Barbican directly
is Castellan allows the option of swapping out for other key managers,
mainly for testing. If projects want their own custom back end for
Castellan, they can write a back end that implements the Castellan
interface but lives in their own code base, i.e., ConfKeyManager in
Nova and Cinder. Additionally, Castellan already has oslo.config
options defined which are helpful for configuring the project to talk
to Barbican.

When the Barbican team first created the Castellan library, we had
reached out to oslo to see if we could adopt it, but the
idea was not accepted because the library didn't have enough traction.
Now, Castellan is used in many projects, and we thought we would
suggest renaming again. At the PTG, the Barbican team met with the AWG
to discuss how we could get Barbican integrated with more projects, and
the rename was also suggested at that meeting. Other projects are
interested in creating encryption features.

Existing similar libraries (if any) and why they aren't being used: N/A

Reviewer activity: Barbican and Oslo team

Who is going to use this (project involvement): Cinder, Nova, Sahara,
and Glance already use Castellan, Swift has a patch that integrates
Castellan.

Proposed adoption model/plan: The Castellan library was already created
and produces a functional and useful artifact (a pypi release) and is
integrated into various OpenStack projects and now it is proposed that
the library be moved into the Oslo group

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
ChangBo Guo(gcb)
Direction:
Needs approval
Assignee:
ChangBo Guo(gcb)
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
ChangBo Guo(gcb) on 2017-04-07
Completed by
ChangBo Guo(gcb) on 2017-04-07

Related branches

Sprints

Whiteboard

Move castellan under Oslo governance https://review.openstack.org/#/c/449137/
Add separate ACL/group for castellan https://review.openstack.org/449138
Make castellan in the release management of Oslo team https://review.openstack.org/#/c/450584/

Update wiki of oslo and castellan to reflect the change : https://wiki.openstack.org/wiki/Oslo#castellan

(?)

Work Items

Work items:
Move castellan under Oslo governance: DONE
Add separate ACL/group for castellan: DONE
Make castellan in the release management of Oslo team: DONE
Update wiki of oslo and castellan to reflect the change: DONE

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.