<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 04/12/2016 03:43 PM, Hongbin Lu
wrote:<br>
</div>
<blockquote
cite="mid:0957CD8F4B55C0418161614FEC580D6B01C4F4B4@YYZEML702-CHM.china.huawei.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">In short, some
Magnum team members proposed to store TLS certificates in
Keystone credential store. As Magnum PTL, I want to get
agreements (or non-disagreement) from OpenStack community in
general, Keystone community in particular, before approving
the direction.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">In details,
Magnum leverages TLS to secure the API endpoint of
kubernetes/docker swarm. The usage of TLS requires a secure
store for storing TLS certificates. </span></p>
</div>
</blockquote>
No it does not.<br>
<br>
Nothing required "secure storing of certificates."<br>
<br>
What is required is "secure storing of private keys." Period.
Nothing else needs to be securely stored.<br>
<br>
Next step is the "signing" of X509 certificates, and this requires a
CA. Barbican is the OpenStack abstraction for a CA, but still
requires a "real" implementation to back to. Dogtag is available
for this role.<br>
<br>
<br>
Now, what Keystone can and should do is provide a way to map an X509
Certificate to a user. This is actually much better done using the
Federation approach than the Credentials store.<br>
<br>
Credentials kinda suck. They should die in a fire. They can't, but
they should. Different rant though.<br>
<br>
So, to nail it down specifically: Keystone's sole role here is to
map the Subject from an X509 certificate to a user_id. If you try
to do anything more than that with Keystone, you are in a state of
sin.<br>
<br>
So, if what you want to do is to store an X509 Certificate in the
Keystone Credentials API, go for it, but I don;'t know what it would
buy you, as only the "owner" of that cert would then be able to
retrieve it.<br>
<br>
<br>
If, on the other hand, what you want to do is to decouple the
request/approval of X509 dfrom Barbican, I would suggest you use
Certmonger. It is an Operating system level tool for exactly this
purpose. And then we should make sure that Barbican can act as a CA
for Certmonger (I know that Dogtag can already).<br>
<br>
<br>
There is nothing Magnum specific about this. We need to solve the
Cert story for OpenStack in general. We need TLS for The Message
Broker and the Database connections as well as any HTTPS servers we
have.<br>
<br>
<br>
<br>
<br>
<blockquote
cite="mid:0957CD8F4B55C0418161614FEC580D6B01C4F4B4@YYZEML702-CHM.china.huawei.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Currently, we
leverage Barbican for this purpose, but we constantly
received requests to decouple Magnum from Barbican (because
users normally don’t have Barbican installed in their
clouds). Some Magnum team members proposed to leverage
Keystone credential store as a Barbican alternative [1].
Therefore, I want to confirm what is Keystone team position
for this proposal (I remembered someone from Keystone
mentioned this is an inappropriate use of Keystone. Would I
ask for further clarification?). Thanks in advance.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">[1] <a
moz-do-not-send="true"
href="https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store"><a class="moz-txt-link-freetext" href="https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store">https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store</a></a>
<o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Hongbin<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>