[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

Ian Cordasco sigmavirus24 at gmail.com
Wed Apr 13 15:19:35 UTC 2016


-----Original Message-----
From: Clayton O'Neill <clayton at oneill.net>
Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Date: April 13, 2016 at 09:39:38
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

> On Wed, Apr 13, 2016 at 10:26 AM, rezroo wrote:
> > Hi Kevin,
> >
> > I understand that this is how it is now. My question is how bad would it be
> > to wrap the Barbican client library calls in another class and claim, for
> > all practical purposes, that Magnum has no direct dependency on Barbican?
> > What is the negative of doing that?
> >
> > Anyone who wants to use another mechanism should be able to do that with a
> > simple change to the Magnum conf file. Nothing more complicated. That's the
> > essence of my question.
> For us, the main reason we’d want to be able to deploy without
> Barbican is mostly to lower the initial barrier of entry. We’re not
> running anything else that would require Barbican for a multi-node
> deployment, so for us to do a realistic evaluation of Magnum, we’d
> have to get two “new to us” services up and running in a development
> environment. Since we’re not running Barbican or Magnum, that’s a big
> time commitment for something we don’t really know if we’d end up
> using. From that perspective, something that’s less secure might be
> just fine in the short term. For example, I’d be completely fine with
> storing certificates in the Magnum database as part of an evaluation,
> knowing I had to switch from that before going to production.

In that case, why not instead, use an NFS mount to store the certificates in that all magnum conductors have (the same way someone evaluating Glance without wanting Swift, Ceph, or something else that would be more robust) might use NFS + the default filesystem store? That doesn't require adding yet more code to store something in the database or in Keystone.

Further, the other contention here is that people want to run Magnum on old deployments of OpenStack which most likely wouldn't even have Keystone v3 deployed. So I'm still failing to see how this solution solves anything at all.

Ian Cordasco

More information about the OpenStack-dev mailing list