[openstack-dev] [Keystone][Oslo] Future of Key Distribution Server, Trusted Messaging

Adam Young ayoung at redhat.com
Thu Nov 21 18:49:10 UTC 2013


On 11/21/2013 01:55 AM, Russell Bryant wrote:
> Greetings,
>
> I'd like to check in on the status of this API addition:
>
>      https://review.openstack.org/#/c/40692/
>
> The last comment is:
>
>     "propose against stackforge as discussed at summit?"

Yes, it was discussed in a small group, and not officially.  That 
comment is just a place holder.

Instead of running it in Keystone, it will run in its own service. There 
really is nothing in Keystone that related to KDS, nor the other way 
around.   KDS is Undercloud specific functiojnality (for now) and not 
really appropriate to expose via the Service catalog.

The current thinking is that Pecan (and maybe WSME) and the current code 
base is the correct way to launch it.
Like all our web services, I suggest the production version run via 
mod_wsgi in Apache HTTPD to allow for TLS and X509 Certificate support.

The service/project will still be under the Keystone program (for now, 
we can discuss where it will live long term).  It should be a relatively 
short ramp up to get it deployed.

I know the Barbican folks are interested as well, and I expect they will 
be contributing to make this happen.

>
> I don't see a session about this and from a quick look, don't see notes
> related to it in other session etherpads.
>
> When was this discussed?  Can you summarize it?
>
> Last I heard, this was just being deferred to be merged early in
> Icehouse [1].
>
> This is blocking one of the most important security features for
> OpenStack, IMO (trusted messaging) [2].  We've been talking about it for
> years.  Someone has finally made some real progress on it and I feel
> like it has been given little to no attention.
>
> I'm not thrilled about the prospect of this going into a new project for
> multiple reasons.
>
>   - Given the priority and how long this has been dragging out, having to
> wait for a new project to make its way into OpenStack is not very appealing.
>
>   - A new project needs to be able to stand on its own legs.  It needs to
> have a reasonably sized development team to make it sustainable.  Is
> this big enough for that?
>
> What's the thinking on this?
>
> [1]
> http://lists.openstack.org/pipermail/openstack-dev/2013-August/013992.html
> [2] https://review.openstack.org/#/c/37913/
>




More information about the OpenStack-dev mailing list