[openstack-dev] Move keypair management out of Nova and into Keystone?

Jay Pipes jaypipes at gmail.com
Tue Jul 2 15:09:23 UTC 2013


On 07/02/2013 10:56 AM, Simo Sorce wrote:
<snip>
> If 'access credentials' remain buried (as in they cannot never be
> retrieved) in Keystone (or whatever IdM service it bridges to) then it
> is probably the right place as it performs authentication anyway and
> needs direct access to these credentials internally in some cases.
>
> But Keystone is not the right place to function as storage and retrieval
> system for private keys that's barbican's turf.

No disagreement at all from me on this one! :)

> So for the nova keypairs I think Keystone is the natural place, as that
> information doesn't need strong protection, it's just public keys.
> For private keys Keystone wouldn't do, and a URL redirection scheme as
> proposed by Jarret makes a lot of sense in this case.

++

-jay




More information about the OpenStack-dev mailing list