[openstack-dev] [Neutron][LBaaS] TLS capability - certificates data persistency
Brandon Logan
brandon.logan at RACKSPACE.COM
Tue Jul 22 14:43:04 UTC 2014
I agree with Sam. We're under a strict timeline here and the simpler
the code the faster it will be implemented and reviewed. Is there any
strong reason why this caching can't wait until K if it decided it is
really needed?
Thanks,
Brandon
On Tue, 2014-07-22 at 11:01 +0000, Samuel Bercovici wrote:
> Stephen,
>
>
>
> This will increase the complexity of the code since it will add
> managing the cache lifecycle in tandem with the barbican back end and
> the fact that containers may be shared by multiple listeners.
>
> At this stage, I think that it serves us all to keep the code at this
> stage as small and simple as possible.
>
>
>
> Let’s judge if presenting this information on the fly (ex: in the Web
> UI) becomes a performance issue and if it does, we can fix it then.
>
>
>
> -Sam.
>
>
>
>
>
> From: Stephen Balukoff [mailto:sbalukoff at bluebox.net]
> Sent: Tuesday, July 22, 2014 3:43 AM
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [Neutron][LBaaS] TLS capability -
> certificates data persistency
>
>
>
> Evgeny--
>
>
>
>
> The only reason I see for storing certificate information in Neutron
> (and not private key information-- just the certificate) is to aid in
> presenting UI information to the user. Especially GUI users don't care
> about a certificate's UUID, they care about which hostnames it's valid
> for. Yes, this can be loaded on the fly whenever public certificate
> information is accessed, but the perception was that it would be a
> significant performance increase to cache it.
>
>
>
>
>
> Stephen
>
>
>
>
> On Sun, Jul 20, 2014 at 4:32 AM, Evgeny Fedoruk <EvgenyF at radware.com>
> wrote:
>
> Hi folks,
>
>
>
> In a current version of TLS capabilities RST certificate
> SubjectCommonName and SubjectAltName information is cached in a
> database.
>
> This may be not necessary and here is why:
>
>
>
> 1. TLS containers are immutable, meaning once a container was
> associated to a listener and was validated, it’s not necessary to
> validate the container anymore.
> This is relevant for both, default container and containers used for
> SNI.
>
> 2. LBaaS front-end API can check if TLS containers ids were
> changed for a listener as part of an update operation. Validation of
> containers will be done for
> new containers only. This is stated in “Performance Impact” section of
> the RST, excepting the last statement that proposes persistency for
> SCN and SAN.
>
> 3. Any interaction with Barbican API for getting containers data
> will be performed via a common module API only. This module’s API is
> mentioned in
> “SNI certificates list management” section of the RST.
>
> 4. In case when driver really needs to extract certificate
> information prior to the back-end system provisioning, it will do it
> via the common module API.
>
> 5. Back-end provisioning system may cache any certificate data,
> except private key, in case of a specific need of the vendor.
>
>
>
> IMO, There is no real need to store certificates data in Neutron
> database and manage its life cycle.
>
> Does anyone sees a reason why caching certificates’ data in Neutron
> database is critical?
>
>
>
> Thank you,
>
> Evg
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
>
>
> --
> Stephen Balukoff
> Blue Box Group, LLC
> (800)613-4305 x807
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list