[openstack-dev] [Barbican] Barebones CA

Clark, Robert Graham robert.clark at hp.com
Sat Jul 12 14:40:14 UTC 2014


Just a quick update on this, I started work on a basic plugin but quickly
found I was running out of time.

I handed over to Tim Kelsey, who had a few concerns about the plumbing
required to make this work, I’ve CC’d him on this thread.

-Rob





On 28/06/2014 08:03, "John Wood" <john.wood at RACKSPACE.COM> wrote:

>Hello folks,
>
>Just trying clarify things...are we talking about a dev plugin to
>generate asymmetric keys, or else one to mimic working with a CA to
>create SSL certificates via workflow (so including firing off
>certificate-generated events, for example)?
>
>If we are talking about the former, then you would be interested in a
>plugin that implements a method such as this one:
>https://github.com/openstack/barbican/blob/master/barbican/plugin/interfac
>e/secret_store.py#L167
>
>If you are talking about the latter, then that would be a different type
>of plugin that handles CA workflows, as proposed in this blueprint:
>https://review.openstack.org/#/c/99221/
>
>Thanks,
>John
>
>________________________________________
>From: Nathan Kinder [nkinder at redhat.com]
>Sent: Wednesday, June 25, 2014 9:43 PM
>To: OpenStack Development Mailing List (not for usage questions);
>alee at redhat.com
>Subject: Re: [openstack-dev] [Barbican] Barebones CA
>
>On 06/25/2014 02:42 PM, Clark, Robert Graham wrote:
>>
>> Ok, I’ll hack together a dev plugin over the next week or so, other work
>> notwithstanding. Where possible I’ll probably borrow from the dog tag
>> plugin as I’ve not looked closely at the plugin infrastructure in
>>Barbican
>> recently.
>
>My understanding is that Barbican's plugin interface is currently in the
>midst of a redesign, so be careful not to copy something that will be
>changing shortly.
>
>-NGK
>
>>
>> Is this something you’d like a blueprint for first?
>>
>> -Rob
>>
>>
>>
>>
>> On 25/06/2014 18:30, "Ade Lee" <alee at redhat.com> wrote:
>>
>>> I think the plan is to create a Dogtag instance so that integration
>>> tests can be run whenever code is checked in (both with and without a
>>> Dogtag backend).
>>>
>>> Dogtag isn't that difficult to deploy, but being a Java app, it does
>>> bring in a set of dependencies that developers may not want to deal
>>>with
>>> for basic/ devstack testing.
>>>
>>> So, I agree that a simple OpenSSL CA may be useful at least initially
>>>as
>>> a 'dev' plugin.
>>>
>>> Ade
>>>
>>> On Wed, 2014-06-25 at 16:31 +0000, Jarret Raim wrote:
>>>> Rob,
>>>>
>>>> RedHat is working on a backend for Dogtag, which should be capable of
>>>> doing something like that. That's still a bit hard to deploy, so it
>>>> would
>>>> make sense to extend the 'dev' plugin to include those features.
>>>>
>>>>
>>>> Jarret
>>>>
>>>>
>>>> On 6/24/14, 4:04 PM, "Clark, Robert Graham" <robert.clark at hp.com>
>>>>wrote:
>>>>
>>>>> Yeah pretty much.
>>>>>
>>>>> That¹s something I¹d be interested to work on, if work isn¹t ongoing
>>>>> already.
>>>>>
>>>>> -Rob
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 24/06/2014 18:57, "John Wood" <john.wood at RACKSPACE.COM> wrote:
>>>>>
>>>>>> Hello Robert,
>>>>>>
>>>>>> I would actually hope we have a self-contained certificate plugin
>>>>>> implementation that runs 'out of the box' to enable certificate
>>>>>> generation orders to be evaluated and demo-ed on local boxes.
>>>>>>
>>>>>> Is this what you were thinking though?
>>>>>>
>>>>>> Thanks,
>>>>>> John
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Clark, Robert Graham [robert.clark at hp.com]
>>>>>> Sent: Tuesday, June 24, 2014 10:36 AM
>>>>>> To: OpenStack List
>>>>>> Subject: [openstack-dev] [Barbican] Barebones CA
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I¹m sure this has been discussed somewhere and I¹ve just missed it.
>>>>>>
>>>>>> Is there any value in creating a basic ŒCA¹ and plugin to satisfy
>>>>>> tests/integration in Barbican? I¹m thinking something that probably
>>>>>> performs OpenSSL certificate operations itself, ugly but perhaps
>>>> useful
>>>>>> for some things?
>>>>>>
>>>>>> -Rob
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev at lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev at lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list