-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discuss: Credential expiry policies #612
Comments
Hey @JohannesRudolph
Typically, the credential rotation policy would be set by a service operator / admin, rather than the service provider, and therefore I'm not sure how we could add this into the service broker side of OSBAPI. Happy to hear ideas on this though! |
hey @mattmcneeney, great to hear that. We were exactly thinking about going the second route. We also feel this is much more a platform side of thing (the platform is the source of truth after all) and it has much better ways to control rotation and e.g. notify users about it etc. I do also agree that re-creating bindings is the best way to go. I think a potential touch-point with OSBAPI would be for brokers to be able to define sort of a desired credential rotation policy in their catalog (usually on a per service level). The marketplace may or may not decide to stick to that. For now, we're thinking about solving this by storing an expiry policy at a per-broker level in our platform. Do you think that "binding expiry" would have a place in the catalog API? It could also be part of an informal metadata convention (like pricing info currently is). |
Thanks for the info! This sounds like something that could go in the Catalog Extensions section of the Are there any service authors out there who have wanted to be able to define recommended credential rotation policies for their service offerings? |
We sometimes encounter use cases where it's demanded that credentials created by service bindings carry an explicit expiry policy. For example, a credential created for a database must be rotated at least every 180 days. A similar issue exists around service keys (though they are Cloud Foundry specific and mostly unnecessary in my experience when
cf ssh
tunnels are available).I see this has not been discussed before within the context of the OSB API spec and want to check in with the community to see if there's a wider demand/recognition of this topic?
There are multiple ways to attack this i.e. the responsibility matrix
[expiry policy configuration, expiry enforcement] * [service broker, platform]
but I think it makes sense to gather a few other interested parties first before discussing this in detail.The text was updated successfully, but these errors were encountered: