[openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas

Varun Lodaya Varun_Lodaya at symantec.com
Mon Sep 21 16:41:10 UTC 2015


Hey Douglas,

Thanks for the reply. Will look into barbican ACLs and test it out. Also,
had 1 more follow up questionŠ
1) Currently the HAProxy LBaaS instance sits on the controller. The
certificate download happens on the controller too.
2) Once we move to service-vm model, where service-vms could reside on
compute hypervisors, where will the cert download happen? Still on
controller in the flow?

Thanks,
Varun

On 9/18/15, 10:53 PM, "Douglas Mendizábal"
<douglas.mendizabal at rackspace.com> wrote:

>* PGP Signed by an unknown key
>
>Hi Varun,
>
>I believe the expected workflow for this use case is:
>
>1. User uploads cert + key to Barbican
>2. User grants lbass access to the barbican certificate container
>using the ACL API [1]
>3. User requests tls container by providing Barbican container reference
>
>Since the user grants the lbass user access in step 2, the token
>generated using the conf file credentials will be accepted by Barbican
>and the certificate will be made available to lbass.
>
>- Douglas Mendizábal
>
>[1] http://docs.openstack.org/developer/barbican/api/quickstart/acls.htm
>l
>
>On 9/19/15 12:13 AM, Varun Lodaya wrote:
>> Hi Guys,
>> 
>> With lbaasv2, I noticed that when we try to associate tls
>> containers with lbaas listeners, lbaas tries to validate the
>> container and while doing so, tries to get keystone token based on
>> tenant/user credentials in neutron.conf file. However, the barbican
>> containers could belong to different users in different tenants, in
>> that case, container look up would always fail? Am I missing
>> something?
>> 
>> Thanks, Varun
>> 
>> 
>> ______________________________________________________________________
>____
>>
>> 
>OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>
>* Unknown Key
>* 0x2098B5FB(L)
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list