[openstack-dev] Move keypair management out of Nova and into Keystone?

Nachi Ueno nachi at ntti3.com
Tue Jul 2 00:33:19 UTC 2013 

Hi Jamie

Thanks for sharing Keystone's v3 credential api.
( I didn't know this..)
Neutron VPN can use this api ! :)

Best
Nachi


2013/7/1 Jamie Lennox <jlennox at redhat.com>:
> On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
>> Hi folks
>>
>> I'm interested in it too.
>> I'm working on VPN support for Neutron.
>> Public key authentication is one of feature milestone in the IPsec
>> implementation.
>> But I believe key-pair management api and the implementation will be
>> quite similar in Key for IPsec and Nova.
>>
>> so I'm +1 for moving key management for Keystone.
>>
>> Best
>> Nachi
>
> I don't know how nova's keypair management works but i assume we are
> talking about keys for ssh-ing into new virtual machines rather than
> keys for authentication against nova.
>
> Keystone's v3 api has credentials storage (see
> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md ), is this sufficient on behalf of keystone? There is some support in the current master of keystoneclient for working with these credentials.
>
> Otherwise would the upcoming barbican be a more appropriate place?
>
> If i've got this wrong and we are using these keys to actually
> authenticate against nova then if someone can point me to the code i'll
> see how hard it is to transfer to keystone.
>
>>
>>
>> 2013/7/1 Thierry Carrez <thierry at openstack.org>:
>> > Russell Bryant wrote:
>> >> On 07/01/2013 01:10 PM, Jay Pipes wrote:
>> >>> On 07/01/2013 12:23 PM, Mauro S M Rodrigues wrote:
>> >>>> +1.. make sense to me, I always thought that was weird hehe
>> >>>> Say the word and we will remove it from v3.
>> >>>
>> >>> Well, it's not weird, per-se... I mean I understand why it is the way it
>> >>> is. Nova, of course, preceded Keystone.
>> >>>
>> >>> But, it sounds like this would be something to put on the Icehouse
>> >>> horizon? Can the Nova and Keystone PTLs comment if there is interest in
>> >>> this?
>> >>
>> >> There is interest from me.  Dolph?
>> >
>> > Dolph is not around this week, so the answer may take a while :)
>> >
>> > --
>> > Thierry Carrez (ttx)
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list