Open Stack

On 12/13/13, 7:56 AM, "Russell Bryant" <rbryant at redhat.com> wrote:


>1) Are each of the items you mention big enough to have a sustainable
>team that can exist as its own program?

The answer here for Barbican and Keystone is yes.

>2) Would there be a benefit of *changing* the scope and mission of the
>Identity program to accomodate a larger problem space?  "Security"
>sounds too broad ... but I'm sure you see what I'm getting at.

Dolph and I have talked about this a bit. Right now, if we combined them,
it feels like we would have meetings where the first half would be about
Keystone and the second about Barbican. Same for design sessions. The
systems and the concerns they address are entirely separate. Currently the
teams are also entirely separate.

While I think we can encourage both teams to have a close relationship
(Adam Young and I had a conversion about that recently), there is no
benefit to combining the teams now other than to reduce the number of
programs. As the combination doesn¹t help either project, it seems like
Barbican having its own program is the best option.

>When we're talking about authentication, authorization, identity
>management, key management, key distribution ... these things really
>*do* seem related enough that it would be *really* nice if a group was
>looking at all of them and how they fit into the bigger OpenStack
>picture.  I really don't want to see silos for each of these things.

I don¹t agree here. Key management and distribution can be used to solve
problems in the identity space. They can also be used to solve problems in
other spaces in openstack. Barbican uses keystone to provide auth / auth
to keys, much like Nova uses keystone to provide auth / auth to servers.
Additionally, Barbican will deal with other parts of the encryption space
(e.g. SSL) that have very little to do with identity.

>So, would OpenStack benefit from a tighter relationship between these
>projects?  I think this may be the case, personally.

I think there would be benefit to individuals working together from the
two projects where it makes sense - especially where we have knowledge
overlaps. I don¹t agree that including Barbican in the Identity program is
the right way to do that.

>Could this tighter relationship happen between separate programs?  It
>could, but I think a single program better expresses the intent if
>that's really what is best.

Barbican¹s intent is to simplify key management to enable consuming
systems and users to offer or use encryption in their services. This is a
fundementally different mission than Keystone has.



Jarret
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5611 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131217/1eca15bc/attachment.bin>