SysEleven Stack uses the OpenStack component Barbican for secret storage. We introduced the Barbican secret storage first of all to provide a safe way to store SSL certificates and private keys for Octavia Load balancer as a Service.
The barbican secret storage is part of our global region. This means, similar to Keystone (Identity and Access) and Designate (DNSaaS), there is one API for all regions.
| Barbican feature | Supported |
|---|---|
| Secret storage and metadata | Yes |
| Containers | Yes |
| Consumers | Yes |
| Access control lists | Yes |
| Certificate orders | No |
All secrets are transferred and stored fully encrypted at all times. Metadata may not be stored fully encrypted.
Containers represent a set of secrets, for a certain purpose.
Containers can be of type generic, RSA, or Certificate.
| Type | Accompanied secret names |
|---|---|
| Generic | No restrictions |
| RSA | public_key, private_key, and private_key_passphrase |
| Certificate | certificate and optionally private_key, private_key_passphrase, and intermediates |
Barbican can be used to persist a list of consumers for any given container. The consumer consists of a consumer name, a URL and a reference to the container.
By default, secrets and containers are accessible for all users of a project (See the identity and access reference guide for more information about users, groups and projects).
Using access control lists, you can reduce access to certain users or groups.
Currently the access control list (ACL) settings defined for a container are not propagated down to associated secrets.