Open Stack

On Tue, Sep 3, 2013 at 7:27 PM, Bryan D. Payne <bdpayne at acm.org> wrote:

>
>   > How can someone use your code without a key manager?****
>>>
>>> Some key management mechanism is required although it could be
>>> simplistic. For example, we’ve tested our code internally with an
>>> implementation of the key manager interface that returns a single, constant
>>> key.
>>>
>> That works for testing but doesn't address: "the current dearth of key
>> management within OpenStack does not preclude the use of our existing work
>> within a production environment"
>>
>
> My understanding here is that users are free to use any key management
> mechanism that they see fit.  This can be a simple "return a static key"
> option.  Or it could be using something more feature rich like Barbican.
>  Or it could be something completely home grown that is suited to a
> particular OpenStack deployment.
>
> I don't understand why we are getting hung up on having a key manager as
> part of OpenStack in order to accept this work.  Clearly there are other
> pieces of OpenStack that have external dependencies (message queues, to
> name one).
>
> I, for one, am looking forward to using this feature and would be very
> disappointed to see it pushed back for yet another release.
>
>
>
>>  Is a feature complete if no one can use it?
>>
>> I am happy with a less then secure but fully functional key manager.  But
>> with no key manager that can be used in a real deployment, what is the
>> value of including this code?
>>
>
> Of course people can use it.  They just need to integrate with some
> solution of the deployment's choosing that provides key management
> capabilities.  And, of course, if you choose to not use the volume
> encryption then you don't need to worry about it at all.
>
> I've watched this feature go through many, many iterations throughout both
> the Grizzly and Havana release cycles.  The authors have been working hard
> to address everyone's concerns.  In fact, they have navigated quite a
> gauntlet to get this far.  And what they have now is an excellent, working
> solution.  Let's accept this nice security enhancement and move forward.
>
> Cheers,
> -bryan
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> Do you have any docs or guides describing a reference implementation that
would be able to use this in the manner you describe?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/a069957c/attachment.html>