[openstack-dev] [neutron][lbaas][barbican] default certificate manager

Brandon Logan brandon.logan at RACKSPACE.COM
Thu Apr 9 20:51:13 UTC 2015


Hi Ihar,
So that decision was indeed hastily done but I still think it was the right one.  Let me break down the reasons:

1) To use the local cert manager, the API would have to accept the raw secrets (certificate, private key, etc).  We'd have to store that some place, but it would have been explicitly documented that the local cert manager was an insecure option and should not be used in a production environment.  So that's not a huge deal, but still a factor.  Without these fields, the local cert manager is useless because a user can't store anything.  

2) If #1 was allowed then the listener would have to accept those fields along with a tls_container_id.  That in itself can be confusing, but it could be overcome with documentation.  

3) If barbican was in use then it would be expected that the neutron-lbaas API would accept the raw secrets, and then its up to the system to store those secrets in barbican.  Who should those secrets be owned by?
        a) If we make them owned by the user then you run into the issue of them re-using the secrets in some other system.  What happens when the user deletes the listener that             the secrets were originally created for?
        b) If we make them owned by the system then a user can't reuse the same secrets, which is a big reason to use barbican.    

4) Time.  The options above could definitely have been done, but along with not being clear as to which is the best option (if there is one), there wasn't much time to actually implement them. 

So given all of that, I think defaulting to barbican was the lesser of many evils.  LBaaS v2 is marked as experimental in the docs so that gives us some leeway to make some backwards incompatible changes, though the options above wouldn't be backwards incompatible.  It's still a signal to users/operators that its experimental.

Thanks,
Brandon  


________________________________________
From: Ihar Hrachyshka <ihrachys at redhat.com>
Sent: Thursday, April 9, 2015 10:29 AM
To: openstack-dev
Subject: [openstack-dev] [neutron][lbaas][barbican] default certificate manager

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi lbaas folks,

I've realized recently that the default certificate manager for lbaas
advanced service is now barbican based. Does it mean that to make
default configuration working as is, users will need to deploy
barbican service? If that's really the case, the default choice seems
to be unfortunate. I think it would be better not to rely on external
service in default setup, using local certificate manager.

Is there a particular reason behind the default choice?

Thanks,
/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVJprKAAoJEC5aWaUY1u57OEcIANdh8uBUcHKxBqjYFwQWoJRx
jLLlH6uxivP3i9nBiYFTZG8uwFhwCzL5rl9uatB7+Wsu41uOTJZeUlCM4dN+xOIz
J9KujLv1oGD/FvgpVGP/arJ6SoCeiINmezwQAziid6dmtH1iYePFCCTCJedbMmND
KampF+RXmHIwXvwVN1jK/tDfGsMHOoGKjy4jmgw48jBWFch1PBWQnRn4ooxZDbmI
VGQvSbpDwkQ3+N3ELZHx0m7l9kGmRKQl/8Vwml6pJKtcrGObkQGGGPeTPYj8Y/NO
Peht83x+HkrIupXZpkm3ybyHWSQdJw+RdKquGWKPTrcNGL1zZTl46rHWF79rhxA=
=C8+6
-----END PGP SIGNATURE-----

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list