[openstack-dev] Move keypair management out of Nova and into Keystone?
Jay Pipes
jaypipes at gmail.com
Tue Jul 2 12:46:13 UTC 2013
On 07/02/2013 08:26 AM, Simo Sorce wrote:
> On Mon, 2013-07-01 at 21:03 -0400, Jay Pipes wrote:
>> On 07/01/2013 07:49 PM, Jamie Lennox wrote:
>>> On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
>>>> Hi folks
>>>>
>>>> I'm interested in it too.
>>>> I'm working on VPN support for Neutron.
>>>> Public key authentication is one of feature milestone in the IPsec
>>>> implementation.
>>>> But I believe key-pair management api and the implementation will be
>>>> quite similar in Key for IPsec and Nova.
>>>>
>>>> so I'm +1 for moving key management for Keystone.
>>>>
>>>> Best
>>>> Nachi
>>>
>>> I don't know how nova's keypair management works but i assume we are
>>> talking about keys for ssh-ing into new virtual machines rather than
>>> keys for authentication against nova.
>>>
>>> Keystone's v3 api has credentials storage (see
>>> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md ), is this sufficient on behalf of keystone? There is some support in the current master of keystoneclient for working with these credentials.
>>>
>>> Otherwise would the upcoming barbican be a more appropriate place?
>>>
>>> If i've got this wrong and we are using these keys to actually
>>> authenticate against nova then if someone can point me to the code i'll
>>> see how hard it is to transfer to keystone.
>>
>> Actually, no, I think you have it right (though the correct link is
>> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md)
>>
>> I think the main work, though, has to be in removing/replacing the Nova
>> API /keypairs stuff with calls to Keystone's v3/credentials API.
>>
>> Would the appropriate way to do this be to add an API shim into Nova's
>> API that simply calls out to the Keystone v3/credentials API IFF
>> Keystone's v3 API is enabled in the deployment? Then, deprecate the old
>> code and when Keystone v2 API is sunsetted, then remove the old Nova
>> keypairs API codepaths?
>
> I guess you also need to handle a migration of the data from one store
> to the other ?
> Or are these data migrations left as an exercise to the admins ?
No, you are correct, a migration script should be included as part of
the code.
Best,
-jay
More information about the OpenStack-dev
mailing list