[openstack-dev] [nova] key management and Cinder volume encryption

Joe Gordon joe.gordon0 at gmail.com
Wed Sep 4 03:06:37 UTC 2013


On Tue, Sep 3, 2013 at 6:44 PM, John Griffith
<john.griffith at solidfire.com>wrote:

>
>
>
> On Tue, Sep 3, 2013 at 7:27 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>
>>
>>   > How can someone use your code without a key manager?****
>>>>
>>>> Some key management mechanism is required although it could be
>>>> simplistic. For example, we’ve tested our code internally with an
>>>> implementation of the key manager interface that returns a single, constant
>>>> key.
>>>>
>>> That works for testing but doesn't address: "the current dearth of key
>>> management within OpenStack does not preclude the use of our existing work
>>> within a production environment"
>>>
>>
>> My understanding here is that users are free to use any key management
>> mechanism that they see fit.  This can be a simple "return a static key"
>> option.  Or it could be using something more feature rich like Barbican.
>>  Or it could be something completely home grown that is suited to a
>> particular OpenStack deployment.
>>
>> I don't understand why we are getting hung up on having a key manager as
>> part of OpenStack in order to accept this work.  Clearly there are other
>> pieces of OpenStack that have external dependencies (message queues, to
>> name one).
>>
>>
As Russell so eloquently said " I generally want *everything* we merge to
be usable with the code in the tree" That doesn't mean something cannot
have external dependencies, it just needs to be usable with the
external dependencies and no additional integration work should be required.



>  I, for one, am looking forward to using this feature and would be very
>> disappointed to see it pushed back for yet another release.
>>
>
>>
>>
>>>  Is a feature complete if no one can use it?
>>>
>>> I am happy with a less then secure but fully functional key manager.
>>>  But with no key manager that can be used in a real deployment, what is the
>>> value of including this code?
>>>
>>
>> Of course people can use it.  They just need to integrate with some
>> solution of the deployment's choosing that provides key management
>> capabilities.  And, of course, if you choose to not use the volume
>> encryption then you don't need to worry about it at all.
>>
>> I've watched this feature go through many, many iterations throughout
>> both the Grizzly and Havana release cycles.  The authors have been working
>> hard to address everyone's concerns.  In fact, they have navigated quite a
>> gauntlet to get this far.  And what they have now is an excellent, working
>> solution.  Let's accept this nice security enhancement and move forward.
>>
>
>> Cheers,
>> -bryan
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> Do you have any docs or guides describing a reference implementation that
> would be able to use this in the manner you describe?
>

++


>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/f75c5539/attachment.html>


More information about the OpenStack-dev mailing list