[openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

Tim Bell Tim.Bell at cern.ch
Tue Sep 1 06:49:20 UTC 2015


> -----Original Message-----
> From: Adrian Otto [mailto:adrian.otto at rackspace.com]
> Sent: 01 September 2015 07:03
> To: OpenStack Development Mailing List (not for usage questions)
> <openstack-dev at lists.openstack.org>
> Subject: Re: [openstack-dev] [magnum] Difference between certs stored in
> keystone and certs stored in barbican
> 
> Simply put, Keystone is designed to generate  tokens that are to be used for
> authentication and RBAC. Systems like Kunernetes do not support Keystone
> auth, but do support TLS. Using TLS provides a solution that is compatible
> with using these systems outside of an OpenStack cloud.
> 
> Barbican is designed for secure storage of arbitrary secrets, and currently
> also has a CA function. The reason that is compelling is that you can have
> Barbican generate, sign, and store a keypair without transmitting the private
> key over the network to the client that originates the signing request. It can
> be directly stored, and made available only to the clients that need access to
> it.
> 

Will it also be possible to use a different CA ? In some environments, there is already a corporate certificate authority server. This would ensure compliance with site security standards.

Tim

> We are taking an iterative approach to TLS integration, so we can gradually
> take advantage of both keystone and Barbican features as they allow us to
> iterate toward a more secure integration.
> 
> Adrian
> 
> > On Aug 31, 2015, at 9:05 PM, Vikas Choudhary
> <choudharyvikas16 at gmail.com> wrote:
> >
> > Hi,
> >
> > Can anybody please point me out some etherpad discussion page/spec
> that can help me understand why we are going to introduce barbican  for
> magnum when we already had keystone for security management?
> >
> >
> >
> >
> > -Vikas Choudhary
> >
> >
> >
> ________________________________________________________________
> ______
> > ____ OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> ________________________________________________________________
> __________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-
> request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list