[Bug 1543754] Re: [MIR] barbican, python-pykmip

James Page james.page at ubuntu.com
Wed Aug 3 09:01:29 UTC 2016 

Hi Seth

Some feedback on your review

1) Barbican without an HSM

We'd come to the same conclusion that you did - Barbican without an HSM
is really not secure, and the built-in crypto or softhsm options are
really POC/dev use only.

>From a deployment perspective, we have charms for barbican + barbican-
softhsm, but that's just to allow us to perform CI on the charms without
reliance on an actual HSM.

Any production use *requires* use of an HSM (for which we will write
barbican-<inserthsm> charms).

2) Use Cases

Barbican could be used by tenants of a cloud directly, but I think its
much more likely that it will be consumed by other OpenStack services
for secrets management - specific examples would include SSL termination
in Neutron LBAAS, encryption of block devices in Cinder, encryption of
data-at-rest in Swift; barbican is used for the key management aspects
of these integrations.

3) Compatibility

Barbican is part of the integrated release with milestones part of
OpenStack, so even if changes do happen, they are happening in the
greater openstack context, so inter-service compatibility should be
maintained.  Barbican is relatively new (only approaching its 3rd
release now), so I would expect some changes - but that's been typical
of OpenStack projects.  We also have another 4 releases before we have
to worry about LTS support cycles - we can review again at 18.04 if
we're still good with the decision to have Barbican in main.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to barbican in Ubuntu.
https://bugs.launchpad.net/bugs/1543754

Title:
  [MIR] barbican, python-pykmip

Status in barbican package in Ubuntu:
  New
Status in python-pykmip package in Ubuntu:
  Incomplete

Bug description:
  [barbican]

  [Availability]
  Currently in universe

  [Rationale]
  OpenStack Mitaka requires the barbican package.

  [Security]
  No security history, however a security review is required.

  [Quality Assurance]
  No prompting during install, all unit tests ran successfully. All current bugs are triaged or in progress.

  [Dependencies]
  python-pykmip currently in universe, MIR below.

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  Simple python package that the Ubuntu Server Team will take care of.

  [Background]
  Barbican provides a secure REST key store for authentication.

  //----------------------------------------------------------------------//

  [python-pykmip]

  [Availability]
  Currently in universe

  [Rationale]
  OpenStack Mitaka barbican requires this dependency.

  [Security]
  No security history.

  [Quality Assurance]
  No prompting during install, all unit tests ran successfully. All current bugs are triaged or in progress.

  [Dependencies]
  All in main.

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  Simple python package that the Ubuntu Server Team will take care of.

  [Background]
  python-pykmip is an implementation of the Key Management Interoperability Protocol.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list