[openstack-dev] Move keypair management out of Nova and into Keystone?

Ryan Lane rlane at wikimedia.org
Tue Jul 2 19:15:04 UTC 2013


On Tue, Jul 2, 2013 at 8:12 AM, Bryan D. Payne <bdpayne at acm.org> wrote:

>
>  > I don't understand. Users already have custody of their own keys. The
>> > only thing that Keystone/Nova has is the public key fingerprint [1], not
>> > the private key...
>>
>> You acatually have the public key, not just the fingerprint, but indeed
>> I do not see why abrbican should be involved here.  apublic key does not
>> need the same level of protection of a private key or a symmetric
>> encryption key, so by storing this data in barbican we would only
>> needlessly expose barbican to more access patternsand more
>> logging/auditing volume than is needed.
>>
>
> I believe you're confusing a couple of points here.  In this case, for
> public keys, what matters is integrity.  For the other cases that you
> mentioned, both integrity and confidentiality matter.  I believe that given
> the high integrity requirements that it *does* make sense to store these in
> a more protected location.
>
> +1 for using Barbican
>
>
This would make Barbican a required service for running Nova. Keystone is
already required and it has the necessary functionality.

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130702/7b60a0c1/attachment.html>


More information about the OpenStack-dev mailing list