[openstack-dev] [Barbican] Barebones CA

John Wood john.wood at RACKSPACE.COM
Sat Jun 28 07:03:16 UTC 2014


Hello folks,

Just trying clarify things...are we talking about a dev plugin to generate asymmetric keys, or else one to mimic working with a CA to create SSL certificates via workflow (so including firing off certificate-generated events, for example)?  

If we are talking about the former, then you would be interested in a plugin that implements a method such as this one: https://github.com/openstack/barbican/blob/master/barbican/plugin/interface/secret_store.py#L167

If you are talking about the latter, then that would be a different type of plugin that handles CA workflows, as proposed in this blueprint: https://review.openstack.org/#/c/99221/

Thanks,
John

________________________________________
From: Nathan Kinder [nkinder at redhat.com]
Sent: Wednesday, June 25, 2014 9:43 PM
To: OpenStack Development Mailing List (not for usage questions); alee at redhat.com
Subject: Re: [openstack-dev] [Barbican] Barebones CA

On 06/25/2014 02:42 PM, Clark, Robert Graham wrote:
>
> Ok, I’ll hack together a dev plugin over the next week or so, other work
> notwithstanding. Where possible I’ll probably borrow from the dog tag
> plugin as I’ve not looked closely at the plugin infrastructure in Barbican
> recently.

My understanding is that Barbican's plugin interface is currently in the
midst of a redesign, so be careful not to copy something that will be
changing shortly.

-NGK

>
> Is this something you’d like a blueprint for first?
>
> -Rob
>
>
>
>
> On 25/06/2014 18:30, "Ade Lee" <alee at redhat.com> wrote:
>
>> I think the plan is to create a Dogtag instance so that integration
>> tests can be run whenever code is checked in (both with and without a
>> Dogtag backend).
>>
>> Dogtag isn't that difficult to deploy, but being a Java app, it does
>> bring in a set of dependencies that developers may not want to deal with
>> for basic/ devstack testing.
>>
>> So, I agree that a simple OpenSSL CA may be useful at least initially as
>> a 'dev' plugin.
>>
>> Ade
>>
>> On Wed, 2014-06-25 at 16:31 +0000, Jarret Raim wrote:
>>> Rob,
>>>
>>> RedHat is working on a backend for Dogtag, which should be capable of
>>> doing something like that. That's still a bit hard to deploy, so it
>>> would
>>> make sense to extend the 'dev' plugin to include those features.
>>>
>>>
>>> Jarret
>>>
>>>
>>> On 6/24/14, 4:04 PM, "Clark, Robert Graham" <robert.clark at hp.com> wrote:
>>>
>>>> Yeah pretty much.
>>>>
>>>> That¹s something I¹d be interested to work on, if work isn¹t ongoing
>>>> already.
>>>>
>>>> -Rob
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 24/06/2014 18:57, "John Wood" <john.wood at RACKSPACE.COM> wrote:
>>>>
>>>>> Hello Robert,
>>>>>
>>>>> I would actually hope we have a self-contained certificate plugin
>>>>> implementation that runs 'out of the box' to enable certificate
>>>>> generation orders to be evaluated and demo-ed on local boxes.
>>>>>
>>>>> Is this what you were thinking though?
>>>>>
>>>>> Thanks,
>>>>> John
>>>>>
>>>>>
>>>>>
>>>>> ________________________________________
>>>>> From: Clark, Robert Graham [robert.clark at hp.com]
>>>>> Sent: Tuesday, June 24, 2014 10:36 AM
>>>>> To: OpenStack List
>>>>> Subject: [openstack-dev] [Barbican] Barebones CA
>>>>>
>>>>> Hi all,
>>>>>
>>>>> I¹m sure this has been discussed somewhere and I¹ve just missed it.
>>>>>
>>>>> Is there any value in creating a basic ŒCA¹ and plugin to satisfy
>>>>> tests/integration in Barbican? I¹m thinking something that probably
>>>>> performs OpenSSL certificate operations itself, ugly but perhaps
>>> useful
>>>>> for some things?
>>>>>
>>>>> -Rob
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list