[openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

Vikas Choudhary choudharyvikas16 at gmail.com
Tue Sep 1 07:06:22 UTC 2015


Is it like keystone authenticating between magnum-client and magnum conductor,

and barbican certs will be used b/w conductor and k8s/swarm?



Thanks

Vikas Choudhary

_____________________________________________________________
Simply put, Keystone is designed to generate  tokens that are to be
used for authentication and RBAC. Systems like Kunernetes do not
support Keystone auth, but do support TLS. Using TLS provides a
solution that is compatible with using these systems outside of an
OpenStack cloud.

Barbican is designed for secure storage of arbitrary secrets, and
currently also has a CA function. The reason that is compelling is
that you can have Barbican generate, sign, and store a keypair without
transmitting the private key over the network to the client that
originates the signing request. It can be directly stored, and made
available only to the clients that need access to it.

We are taking an iterative approach to TLS integration, so we can
gradually take advantage of both keystone and Barbican features as
they allow us to iterate toward a more secure integration.

Adrian

>* On Aug 31, 2015, at 9:05 PM, Vikas Choudhary <choudharyvikas16 at gmail.com <http://gmail.com> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>>> wrote:
*>>* Hi,
*>>* Can anybody please point me out some etherpad discussion
page/spec  that can help me understand why we are going to introduce
barbican  for magnum when we already had keystone for security
management?
*>>>>>* -Vikas Choudhary
*>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150901/92e5586e/attachment.html>


More information about the OpenStack-dev mailing list