[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates
dolph.mathews at gmail.com
Tue Apr 12 22:39:43 UTC 2016
On Tue, Apr 12, 2016 at 3:27 PM, Lance Bragstad <lbragstad at gmail.com> wrote:
> Keystone's credential API pre-dates barbican. We started talking about
> having the credential API back to barbican after it was a thing. I'm not
> sure if any work has been done to move the credential API in this
> direction. From a security perspective, I think it would make sense for
> keystone to back to barbican.
And regarding the "inappropriate use of keystone," I'd agree... without
this spec, keystone is entirely useless as any sort of alternative to
I suspect Barbican will forever be a much more mature choice for Magnum.
> On Tue, Apr 12, 2016 at 2:43 PM, Hongbin Lu <hongbin.lu at huawei.com> wrote:
>> Hi all,
>> In short, some Magnum team members proposed to store TLS certificates in
>> Keystone credential store. As Magnum PTL, I want to get agreements (or
>> non-disagreement) from OpenStack community in general, Keystone community
>> in particular, before approving the direction.
>> In details, Magnum leverages TLS to secure the API endpoint of
>> kubernetes/docker swarm. The usage of TLS requires a secure store for
>> storing TLS certificates. Currently, we leverage Barbican for this purpose,
>> but we constantly received requests to decouple Magnum from Barbican
>> (because users normally don’t have Barbican installed in their clouds).
>> Some Magnum team members proposed to leverage Keystone credential store as
>> a Barbican alternative . Therefore, I want to confirm what is Keystone
>> team position for this proposal (I remembered someone from Keystone
>> mentioned this is an inappropriate use of Keystone. Would I ask for further
>> clarification?). Thanks in advance.
>> Best regards,
>> OpenStack Development Mailing List (not for usage questions)
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev