[openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant?

Adam Harwell adam.harwell at RACKSPACE.COM
Mon Sep 14 21:29:39 UTC 2015 

You need to set up ACLs on the Barbican side for that container, to make it readable to the Neutron-LBaaS tenant. For now, the tenant-id should just be documented, but we are looking into making an API call that would expose the admin tenant-id to the user so they can make an API call to discover it.

Once the user has the neutron-lbaas tenant ID, they use the Barbican ACL system to add that ID as a readable user of the container and all of the secrets. Then Neutron-LBaaS hits barbican with the credentials of the admin tenant, and is granted access to the user’s container.

--Adam

https://keybase.io/rm_you


From: Vijay Venkatachalam <Vijay.Venkatachalam at citrix.com<mailto:Vijay.Venkatachalam at citrix.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Friday, September 11, 2015 at 2:35 PM
To: "OpenStack Development Mailing List (openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: [openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant?

Hi,
              Has anyone tried configuring SSL Offload as a tenant?
              During listener creation there is an error thrown saying ‘could not locate/find container’.
              The lbaas plugin is not able to fetch the tenant’s certificate.

              From the code it looks like the lbaas plugin is tyring to connect to barbican with keystone details provided in neutron.conf
              Which is by default username = “admin” and tenant_name =”admin”.
              This means lbaas plugin is looking for tenant’s ceritifcate in “admin” tenant, which it will never be able to find.

              What is the procedure for the lbaas plugin to get hold of the tenant’s certificate?

              Assuming “admin” user has access to all tenant’s certificates. Should the lbaas plugin connect to barbican with username=’admin’ and tenant_name =  listener’s tenant_name?

Is this, the way forward ? *OR* Am I missing something?


Thanks,
Vijay V.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150914/98cca70b/attachment.html>

More information about the OpenStack-dev mailing list