[openstack-dev] Move keypair management out of Nova and into Keystone?
rlane at wikimedia.org
Tue Jul 2 19:15:04 UTC 2013
On Tue, Jul 2, 2013 at 8:12 AM, Bryan D. Payne <bdpayne at acm.org> wrote:
> > I don't understand. Users already have custody of their own keys. The
>> > only thing that Keystone/Nova has is the public key fingerprint , not
>> > the private key...
>> You acatually have the public key, not just the fingerprint, but indeed
>> I do not see why abrbican should be involved here. apublic key does not
>> need the same level of protection of a private key or a symmetric
>> encryption key, so by storing this data in barbican we would only
>> needlessly expose barbican to more access patternsand more
>> logging/auditing volume than is needed.
> I believe you're confusing a couple of points here. In this case, for
> public keys, what matters is integrity. For the other cases that you
> mentioned, both integrity and confidentiality matter. I believe that given
> the high integrity requirements that it *does* make sense to store these in
> a more protected location.
> +1 for using Barbican
This would make Barbican a required service for running Nova. Keystone is
already required and it has the necessary functionality.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev