[openstack-dev] [keystone] [oslo] postpone key distribution bp until icehouse?
ayoung at redhat.com
Wed Aug 21 16:35:14 UTC 2013
On 08/21/2013 11:44 AM, Jarret Raim wrote:
>> Dolph Mathews wrote:
>>> With regard
>> Dolph: you don't mention Barbican at all, does that mean that the issue
>> is settled and the KDS should live in keystone ?
> Dolph and I talked about having a design session to talk about how
> Barbican and Keystone will work together going forward. In this particular
> case, as I understand it, Simo is right. There isn't much need for
> Barbican to be involved in the PKI key signing (except maybe for key
> storage at some point, but that wouldn't' require a lot of changes if we
> did that).
KDS keys are not signed. They are symmetric.
We are writing the KDS code sa a stand alone extension, such that if we
change our mind about where it lives, we can migrate it without too much
disruption. However, I am pretty certain that it belongs in Keystone.
THis is confirmation of identity for services, and it probably will
interoperate with the service catalog over time. Keystone doesn't have a
concept of a Service Principal the way that Kerberos does, but the KDS
code really introduces that concept, and I think it will be important
for more complex authorization rules in the future.
> Once the sessions are opened for Hong Kong, we'll put in for the design
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
More information about the OpenStack-dev