Barbican

Add more types to the orders resource

Registered by John Wood

Barbican's orders resource is used to generate secrets on behalf of clients. Currently (as of Icehouse M2) only symmetric key secrets can be generated. This blueprint addresses how the orders resources could be modified to generate other useful secret types, such as asymmetric key-pairs.

This blueprint grew out of discussions from Barbican contributors, including on this etherpad page: https://etherpad.openstack.org/p/create-multi-part-rsa-secrets-with-order

There are three main types of secret information that could be generated by Barbican via the orders resource:
1) symmetric:
    a) Symmetric encryption keys: AES, 3DES, Camillia, RC4
    b) Other types of keys: HMAC, byte stream

2) 'asymmetric':
    a) RSA, DSA, EC
    b) Can include public and private keys, and a passphrase

3) 'certificate':
    a) Can include quite a bit of information, depending on (for example) if a CSR is supplied or has to be generated by Barbican

For each of these types, this gist page (https://gist.github.com/jfwood/9080109) provides JSON schema examples of changes proposed to the orders resource API. Only the 'type' attribute would be required, with the 'meta' attribute containing information needed to generate the specified type.

Blueprint information

Status:
Complete
Approver:
Douglas Mendizábal
Priority:
High
Drafter:
John Wood
Direction:
Approved
Assignee:
Arvind Tiwari
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
Douglas Mendizábal
Completed by
Douglas Mendizábal

Related branches

Sprints

Whiteboard

Q1 - Is the end product is "container" for above 3 type?
Q1.1 If yes then we need to make some change in container model.
A1 [hgedikli] Container should be used only for Asymmetric type. For key we should generate secret.

Q2 - Can we split "key" type to "symmetric" and "API-key" so there will be symmetric, asymmetric, api-key and cert. The region I want this in there because that will help us to define better search on type.

Q3 - Are you OK with phase approach for impl?
phase 1 - Support for all type except "Cert"
phase 2- Support for "Cert"
A3 [hgedikli] Sounds good to me.

Please let me know so that I can start the imple and API docs.

Gerrit topic: https://review.openstack.org/#q,topic:bp/api-orders-add-more-types,n,z

Addressed by: https://review.openstack.org/82189
    Extend crypto plugin to support more key type

Gerrit topic: https://review.openstack.org/#q,topic:bp/phase,n,z

Gerrit topic: https://review.openstack.org/#q,topic:api-orders-add-more-types,n,z

Addressed by: https://review.openstack.org/87405
    Add more type in order post

Addressed by: https://review.openstack.org/88463
    Keystore API change proposal*Not2MergeJust4Review*

Addressed by: https://review.openstack.org/90613
    Add proposed certificate order *Not2MergeJust4Review*

Addressed by: https://review.openstack.org/97844
    Adding 3 new columns Type, Meta and container_id to Orders

Addressed by: https://review.openstack.org/104599
    bug fix 1336995-DateTime type only accepts Python

Addressed by: https://review.openstack.org/111412
    Reorganize code to use store crypto plug-in

Addressed by: https://review.openstack.org/118697
    Add asymmtric order validator

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.