[openstack-dev] [keystone] [oslo] postpone key distribution bp until icehouse?

Yee, Guang guang.yee at hp.com
Wed Aug 14 16:09:24 UTC 2013

It's just an extension, shouldn't be treated differently as long as it
follow the rules and regulations.


1.      Bp

2.      Spec (identity-api)

3.      Server-side changes (keystone)

4.      Client-side changes if any (python-keystoneclient)


If OpenStack security community is participating in the code reviews, that
would even be awesomer.






From: Adam Young [mailto:ayoung at redhat.com] 
Sent: Wednesday, August 14, 2013 6:24 AM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [keystone] [oslo] postpone key distribution bp
until icehouse?


On 08/13/2013 06:20 PM, Dolph Mathews wrote:

With regard to:


During today's project status meeting [1], the state of KDS was discussed
[2]. To quote ttx directly: "we've been bitten in the past with late
security-sensitive stuff" and "I'm a bit worried to ship late code with such
security implications as a KDS." I share the same concern, especially
considering the API only recently went up for formal review [3], and the WIP
implementation is still failing smokestack [4].

Since KDS is a security tightening in acase where there is no security at
all, adding it in can only improve security.

It is a relatively simple extension from the keystone side.  THe
corresponding change is in the client, and that has already merged.


I'm happy to see the reviews in question continue to receive their fair
share of attention over the next few weeks, but can (and should?) merging be
delayed until icehouse while more security-focused eyes have time to review
the code?


Ceilometer and nova would both be affected by a delay, as both have use
cases for consuming trusted messaging [5] (a dependency of the bp in


Thanks for you feedback!



[2]: http://paste.openstack.org/raw/44075/

[3]: https://review.openstack.org/#/c/40692/

[4]: https://review.openstack.org/#/c/37118/

[5]: https://blueprints.launchpad.net/oslo/+spec/trusted-messaging


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130814/4bcf96ca/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6186 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130814/4bcf96ca/attachment.bin>

More information about the OpenStack-dev mailing list