SysEleven Stack uses the OpenStack component
Barbican for secret storage. We introduced the Barbican secret storage first of all to provide a safe way to store SSL certificates and private keys for Octavia Load balancer as a Service.
|Secret storage and metadata||Yes|
|Access control lists||Yes|
All secrets are transferred and stored fully encrypted at all times. Metadata may not be stored fully encrypted.
Containers represent a set of secrets, for a certain purpose.
Containers can be of type
|Type||Accompanied secret names|
Barbican can be used to persist a list of consumers for any given container. The consumer consists of a consumer name, a URL and a reference to the container.
By default, secrets and containers are accessible for all users of a project (See the identity and access reference guide for more information about users, groups and projects).
Using access control lists, you can reduce access to certain users or groups.
Currently the access control list (ACL) settings defined for a container are not propagated down to associated secrets.