[openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys
Lance Bragstad
lbragstad at gmail.com
Wed Aug 5 13:05:31 UTC 2015
On Wed, Aug 5, 2015 at 2:38 AM, Adam Heczko <aheczko at mirantis.com> wrote:
> Hi, I believe that Barbican keystore for signing keys was discussed
> earlier.
> I'm not sure if that's best idea since Barbican relies on Keystone
> authN/authZ.
>
Correct. Once we find a solution for that problem it would be interesting
to work towards a solution for storing keys in Barbican. I've talked to
several people about this already and it seems to be the natural
progression. Once we can do that, I think we can revisit the tooling for
rotation.
> That's why this mechanism should be considered rather as "out of band" to
> Keystone/OS API and is rather devops task.
>
> regards,
>
> Adam
>
>
>
>
> On Wed, Aug 5, 2015 at 8:11 AM, joehuang <joehuang at huawei.com> wrote:
>
>> Hi, Lance,
>>
>>
>>
>> May we store the keys in Barbican, can the key rotation be done upon
>> Barbican? And if we use Barican as the repository, then it’s easier for Key
>> distribution and rotation in multiple KeyStone deployment scenario, the
>> database replication (sync. or async.) capability could be leveraged.
>>
>>
>>
>> Best Regards
>>
>> Chaoyi Huang ( Joe Huang )
>>
>>
>>
>> *From:* Lance Bragstad [mailto:lbragstad at gmail.com]
>> *Sent:* Tuesday, August 04, 2015 10:56 PM
>> *To:* OpenStack Development Mailing List (not for usage questions)
>> *Subject:* Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for
>> Fernet keys
>>
>>
>>
>>
>>
>> On Tue, Aug 4, 2015 at 9:28 AM, Boris Bobrov <bbobrov at mirantis.com>
>> wrote:
>>
>> On Tuesday 04 August 2015 08:06:21 Lance Bragstad wrote:
>> > On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov <bbobrov at mirantis.com>
>> wrote:
>> > > On Monday 03 August 2015 21:05:00 David Stanek wrote:
>> > > > On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbobrov at mirantis.com>
>> > >
>> > > wrote:
>>
>> > > > > Also, come on, does http://paste.openstack.org/show/406674/ look
>> > > > > overly
>> > > > > complex? (it should be launched from Fuel master node).
>> > > >
>> > > > I'm reading this on a small phone, so I may have it wrong, but the
>> > > > script
>> > > >
>> > > > appears to be broken.
>> > > >
>> > > >
>> > > >
>> > > > It will ssh to node-1 and rotate. In the simplest case this takes
>> key
>> > > > 0
>> > >
>> > > and
>> > >
>> > > > moves it to the next highest key number. Then a new key 0 is
>> > > > generated.
>> > > >
>> > > >
>> > > >
>> > > > Later there is a loop that will again ssh into node-1 and run the
>> > >
>> > > rotation
>> > >
>> > > > script. If there is a limit set on the number of keys and you are at
>> > > > that
>> > > >
>> > > > limit a key will be deleted. This extra rotation on node-1 means
>> that
>> > >
>> > > it's
>> > >
>> > > > possible that it has a different set of keys than are on node-2 and
>> > >
>> > > node-3.
>> > >
>> > >
>> > >
>> > > You are absolutely right. Node-1 should be excluded from the loop.
>> > >
>> > >
>> > >
>> > > pinc also lacks "-c 1".
>> > >
>> > >
>> > >
>> > > I am sure that other issues can be found.
>> > >
>> > >
>> > >
>> > > In my excuse I want to say that I never ran the script and wrote it
>> just
>> > > to show how simple it should be. Thank for review though!
>> > >
>> > >
>> > >
>> > > I also hope that no one is going to use a script from a mailing list.
>> > >
>> > > > What's the issue with just a simple rsync of the directory?
>> > >
>> > > None I think. I just want to reuse the interface provided by
>> > > keystone-manage.
>> >
>> > You wanted to use the interface from keystone-manage to handle the
>> actual
>> > promotion of the staged key, right? This is why there were two
>> > fernet_rotate commands issued?
>>
>> Right. Here is the fixed version (please don't use it anyway):
>> http://paste.openstack.org/show/406862/
>>
>>
>>
>> Note, this doesn't take into account the initial key repository creation,
>> does it?
>>
>>
>>
>> Here is a similar version that relies on rsync for the distribution after
>> the initial key rotation [0].
>>
>>
>>
>> [0] http://cdn.pasteraw.com/d6odnvtt1u9zsw5mg4xetzgufy1mjua
>>
>>
>>
>>
>>
>> --
>> Best regards,
>> Boris Bobrov
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150805/71c628d6/attachment.html>
More information about the OpenStack-dev
mailing list