[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

Adam Young ayoung at redhat.com
Wed Apr 13 16:01:33 UTC 2016

On 04/12/2016 03:43 PM, Hongbin Lu wrote:
> Hi all,
> In short, some Magnum team members proposed to store TLS certificates 
> in Keystone credential store. As Magnum PTL, I want to get agreements 
> (or non-disagreement) from OpenStack community in general, Keystone 
> community in particular, before approving the direction.
> In details, Magnum leverages TLS to secure the API endpoint of 
> kubernetes/docker swarm. The usage of TLS requires a secure store for 
> storing TLS certificates.
No it does not.

Nothing required "secure storing of certificates."

What is required is "secure storing of private keys."  Period. Nothing 
else needs to be securely stored.

Next step is the "signing" of X509 certificates, and this requires a 
CA.  Barbican is the OpenStack abstraction for a CA, but still requires 
a "real" implementation to back to.  Dogtag is available for this role.

Now, what Keystone can and should do is provide a way to map an X509 
Certificate to a user.  This is actually much better done using the 
Federation approach than the Credentials store.

Credentials kinda suck.  They should die in a fire.  They can't, but 
they should. Different rant though.

So, to nail it down specifically:  Keystone's  sole role here is to map  
the Subject from an X509 certificate to a user_id.  If you try to do 
anything more than that with Keystone, you are in a state of sin.

So, if what you want to do is to store an X509 Certificate in the 
Keystone Credentials API, go for it, but I don;'t know what it would buy 
you, as only the "owner" of that cert would then be able to retrieve it.

If, on the other hand, what you want to do is to decouple the 
request/approval of X509 dfrom Barbican, I would suggest you use 
Certmonger.  It is an Operating system level tool for exactly this 
purpose.  And then we should make sure that Barbican can act as a CA for 
Certmonger (I know that Dogtag can already).

There is nothing Magnum specific about this.  We need to solve the Cert 
story for OpenStack in general.  We need TLS for The Message Broker and 
the Database connections as well as any HTTPS servers we have.

> Currently, we leverage Barbican for this purpose, but we constantly 
> received requests to decouple Magnum from Barbican (because users 
> normally don’t have Barbican installed in their clouds). Some Magnum 
> team members proposed to leverage Keystone credential store as a 
> Barbican alternative [1]. Therefore, I want to confirm what is 
> Keystone team position for this proposal (I remembered someone from 
> Keystone mentioned this is an inappropriate use of Keystone. Would I 
> ask for further clarification?). Thanks in advance.
> [1] 
> https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store
> Best regards,
> Hongbin
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160413/94cecb8a/attachment-0001.html>

More information about the OpenStack-dev mailing list