[openstack-dev] Move keypair management out of Nova and into Keystone?

Dolph Mathews dolph.mathews at gmail.com
Tue Jul 2 14:44:19 UTC 2013


On Monday, July 1, 2013, Jamie Lennox wrote:

> On Mon, 2013-07-01 at 14:09 -0700, Nachi Ueno wrote:
> > Hi folks
> >
> > I'm interested in it too.
> > I'm working on VPN support for Neutron.
> > Public key authentication is one of feature milestone in the IPsec
> > implementation.
> > But I believe key-pair management api and the implementation will be
> > quite similar in Key for IPsec and Nova.
> >
> > so I'm +1 for moving key management for Keystone.
> >
> > Best
> > Nachi
>
> I don't know how nova's keypair management works but i assume we are
> talking about keys for ssh-ing into new virtual machines rather than
> keys for authentication against nova.
>
> Keystone's v3 api has credentials storage (see
>
> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md), is this sufficient on behalf of keystone? There is some support in the
> current master of keystoneclient for working with these credentials.


+1; I'd like to know what the gap is from Identity API v3's /credentials to
nova key pair API, if any. The credential API was intended to avoid making
too many assumptions about how it would be used, so hopefully it can be
adopted as it is for EC2 creds today.


>
> Otherwise would the upcoming barbican be a more appropriate place?
>
> If i've got this wrong and we are using these keys to actually
> authenticate against nova then if someone can point me to the code i'll
> see how hard it is to transfer to keystone.
>
> >
> >
> > 2013/7/1 Thierry Carrez <thierry at openstack.org <javascript:;>>:
> > > Russell Bryant wrote:
> > >> On 07/01/2013 01:10 PM, Jay Pipes wrote:
> > >>> On 07/01/2013 12:23 PM, Mauro S M Rodrigues wrote:
> > >>>> +1.. make sense to me, I always thought that was weird hehe
> > >>>> Say the word and we will remove it from v3.
> > >>>
> > >>> Well, it's not weird, per-se... I mean I understand why it is the
> way it
> > >>> is. Nova, of course, preceded Keystone.
> > >>>
> > >>> But, it sounds like this would be something to put on the Icehouse
> > >>> horizon? Can the Nova and Keystone PTLs comment if there is interest
> in
> > >>> this?
> > >>
> > >> There is interest from me.  Dolph?
> > >
> > > Dolph is not around this week, so the answer may take a while :)
> > >
> > > --
> > > Thierry Carrez (ttx)
> > >
> > > _______________________________________________
> > > OpenStack-dev mailing list
> > > OpenStack-dev at lists.openstack.org <javascript:;>
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org <javascript:;>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org <javascript:;>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>


-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130702/5220df04/attachment.html>


More information about the OpenStack-dev mailing list