[openstack-dev] Regarding Barbican and deletes [from RE: [Neutron][LBaaS]User Stories and sruvey]
Brandon Logan
brandon.logan at RACKSPACE.COM
Sun May 4 22:37:38 UTC 2014
Hello John,
Is there anyway (or any plans to) allow a user to register a secret as
being used by another service so that barbican will disallow deleting
(or make it so that its harder to delete, and make the user aware its
being used by what services)?
Thanks,
Brandon Logan
On Sun, 2014-05-04 at 21:24 +0000, John Wood wrote:
> Hello Stephen,
>
>
> I just wanted to comment that Barbican supports four roles per this
> wiki [1], and only one of them (the admin role) can delete secrets.
> That might reduce the chance that someone will delete secrets out from
> under your workflows.
>
>
> [1]
> = https://github.com/cloudkeep/barbican/wiki/Role-Based-Access-Control
>
>
> Thanks,
> John
>
>
>
> ______________________________________________________________________
> From: Stephen Balukoff [sbalukoff at bluebox.net]
> Sent: Friday, May 02, 2014 9:26 PM
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [Neutron][LBaaS]User Stories and sruvey
>
>
>
> Hi Carlos!
>
>
> Comments in-line:
>
>
> On Thu, May 1, 2014 at 7:24 PM, Carlos Garza
> <carlos.garza at rackspace.com> wrote:
> Balukoff I'm liking your API spec so far but can you
> elaborate on what this loadbalancer object you refer to is. on
> page You declare its immutable and refer to it like an actual
> primitive object yet I don't
> see a schema for it. I see loadbalancer_id in the vip request
> that reference. The top part of the doc declares a
> loadbalancer is is the first object created according to the
> definition in the glossary.
> https://wiki.openstack.org/wiki/Neutron/LBaaS/Glossary#Loadbalancer where it is defined as the root Object that is first created or can be fully populated but in you API proposal it looks like the vip object is the created top level primitive with flavor attribute is apart of a VIP. Are you intending to rename what we call a loadbalancer to a VIP? Could you provide a work flow of a created loadbalancer. It looks good either way.
>
>
> I interpret the part of the definition saying:
>
>
> "An object that represent a logical load balancer that may have
> multiple resources such as Vips, Pools, Members, etc. Loadbalancer is
> a root object in the meaning described above. "
>
>
> ...to mean that a load balancer is a container for all of the above
> primitives (VIPS, Listeners, Pools, Members, etc.) This is analogous
> to a physical device, though it doesn't necessarily need to be a
> physical device (it could be a process on the neutron controller, or
> it could be a whole grouping of physical devices that work together to
> serve a singular purpose). I included it in my API document as a
> "placeholder" of sorts to signify how the User API we're defining
> might interface with an Operator / Management API we have yet to
> define. Mostly, I was trying to capture the idea that different VIPs
> might have different "flavors" defined by the operator that
> essentially constitute different load balancing products that the
> operator makes available to the user, as well as the idea that VIPs
> probably exist in logical groupings within the load balancing
> infrastructure somehow. For certain kinds of users, colocation or
> apolocation of VIPs within these groupings of load balancing
> infrastructure is important. (See use cases 11 and 12 in the use
> cases document for a couple examples we see with some regularity.)
>
>
> The API I've proposed includes no notion of how to create a 'load
> balancer' in this sense because this is primarily an operator concern,
> and we've yet to have an in-depth discussion of the nitty-gritty
> details of operator concerns. Rather, my API assumes that "somehow
> load balancers exist" and takes it from there.
>
>
> In any case, we can remove the notion of this kind of 'load balancer'
> from my API proposal for evaluation (since it doesn't really affect
> much for the user), and potentially add something like it back in
> later when we start to talk more in-depth about operator concerns.
>
> Is it cool if we rename ca_certificate_id to client_ca or
> client_ca_certificate to make it clear the purpose of the CA
> is to snub clients. Later on if we need to do encryption to
> back end pool members that have x509s signed by their own CA
> we can then use a parameter like reencryption_ca_certificate.
>
>
> Yep! I'm all for names that make concepts more obvious and/or remove
> confusion from the conversation. :)
>
> Consider the following cases.
>
>
> The user wants SSL_ID based persistence on an HTTPS
> LoadBalancer where the loadbalancer does not know the key or
> cert but has access to the unencrypted RFC5246: 7.4.1.2
> uncrypted Session ID
> to identify persistence to the back end HTTPS pool member?
>
>
> On the pool side of the loadbalaancer can a loadbalancer still
> encrypt if no ca_certificate_id or client_certificate_id is
> present? How would they signal to the api that they extend to
> encrypt with out host name validation or even vert validation
> at all. Not sure why they would want to other then they don't
> feel the need to pay for certs on their backend nodes or worse
> yes pay for a signing cert.
>
>
> No. If the load balancer didn't decrypt the SSL session with the web
> client on the front-end, then it makes no sense to try to re-encrypt
> on the back end. Futher, it also makes no sense for the load balancer
> to attempt verification of the back-end members' server certificates.
>
>
> So, if you're asking whether those attributes only make sense when
> decrypting the SSL session on the front end the answer is: yes. For
> all intents and purposes, not decrypting on the front end means that
> the session is essentially treated like a raw TCP session to the back
> end, with the slight difference that the load balancer can see the
> Session ID in order to do session persistence properly.
>
>
> Note that my API proposal doesn't yet include a flag to indicate
> whether the load balancer should attempt decryption / re-encryption.
> Part of this is because I wasn't aware of this form of session
> persistence and therefore thought a non-decrypted HTTPS configuration
> would look identical to a raw TCP configuration... However, even
> without this flag the notion of whether to decrypt can be determined
> implicitly like so:
> * If the listener protocol is HTTPS and there is no
> default_server_certificate_id, then the load balancer should
> treat the connection like a TCP session and not attempt to
> decrypt, re-encrypt or verify client or server certificates
> anywhere.
> * If the above point is true, and the session persistence
> attribute on the pool is set to 'SSL_SESSION_ID', then the
> load balancer should try to use the RFC5246: 7.4.1.2 uncrypted
> Session ID information for persistence.
> If people think it's still worthwhile to have the flag (so users can
> easily toggle on and off decryption on the listener), it would be
> trivial to add this attribute to the Listener object. What do y'all
> think?
>
> The user feels secure on their network and wants SSL
> termination at the loadbalancer so the loadbalancer has the
> Cert and Key and extends to use plain old HTTP to the pool
> members with some headers injected. What would the protocol on
> the listener be "HTTPS" and would placing a CERT and KEY imply
> deception should happen.
>
>
> Yes, the protocol on the listener would be HTTPS still. I'm not sure
> what you mean by "placing a CERT and KEY". Are you talking about
> within the HTTP headers?
>
> Also I've been burned in an earlier project when I started
> noticing some CA's were using ECDSA certs instead of RSA?
> should we take non RSA x509s into account as well? Right now
> it looks like the API assumes everything is RSA.
>
>
> Yeah, the API does assume everything is RSA right now. I've never been
> handed ECDSA certs before-- can they be converted? In any case, if we
> want to natively support different certificate types, this can be done
> by adding a 'certificate_type' attribute to the TLS_Certificate
> object, and presumably some detection logic when the user uploads a
> new cert.
>
>
> Oh! One other thing: I've had a little bit of time to get an overview
> of barbican. From what I can tell, their main purpose is to provide a
> "secure" storage engine for storing any kind of sensitive information
> (not just RSA private keys or what have you). I'm all for using this
> to store private keys instead of inventing our own system here, as I
> think they'll be able to do a better job in general of maintaining the
> security of the secrets they store since that's the whole purpose of
> the project. (I think it's still fine for us to store public
> certificates sans their private keys ourselves since that's... well,
> public information.)
>
>
> Note that using barbican this way does introduce a couple other
> failure scenarios that we'll need to worry about: Specifically,
> because the user is capable of deleting or changing private key data
> outside of the workflow or knowledge of the LBaaS API, this means that
> we can run into scenarios where the user wants to push a change, but
> the private key data might be unavailable. This can break all kinds of
> stuff, (especially around automated tasks having to do with
> orchestration and auto-scaling). So... we need to carefully consider
> how to handle this failure scenario if we're going to use Barbican.
>
>
> Thanks,
> Stephen
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list