[openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant?
Vijay Venkatachalam
Vijay.Venkatachalam at citrix.com
Tue Sep 15 02:12:31 UTC 2015
Is there a documentation which records step by step?
What is Neutron-LBaaS tenant?
Is it the tenant who is configuring the listener? *OR* is it some tenant which is created for lbaas plugin that is the having all secrets for all tenants configuring lbaas.
>>You need to set up ACLs on the Barbican side for that container, to make it readable to the Neutron-LBaaS tenant.
I checked the ACL docs
http://docs.openstack.org/developer/barbican/api/quickstart/acls.html
The ACL API is to allow “users”(not “Tenants”) access to secrets/containers. What is the API or CLI that the admin will use to allow access of the tenant’s secret+container to Neutron-LBaaS tenant.
From: Adam Harwell [mailto:adam.harwell at RACKSPACE.COM]
Sent: 15 September 2015 03:00
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant?
You need to set up ACLs on the Barbican side for that container, to make it readable to the Neutron-LBaaS tenant. For now, the tenant-id should just be documented, but we are looking into making an API call that would expose the admin tenant-id to the user so they can make an API call to discover it.
Once the user has the neutron-lbaas tenant ID, they use the Barbican ACL system to add that ID as a readable user of the container and all of the secrets. Then Neutron-LBaaS hits barbican with the credentials of the admin tenant, and is granted access to the user’s container.
--Adam
https://keybase.io/rm_you
From: Vijay Venkatachalam <Vijay.Venkatachalam at citrix.com<mailto:Vijay.Venkatachalam at citrix.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Friday, September 11, 2015 at 2:35 PM
To: "OpenStack Development Mailing List (openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: [openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant?
Hi,
Has anyone tried configuring SSL Offload as a tenant?
During listener creation there is an error thrown saying ‘could not locate/find container’.
The lbaas plugin is not able to fetch the tenant’s certificate.
From the code it looks like the lbaas plugin is tyring to connect to barbican with keystone details provided in neutron.conf
Which is by default username = “admin” and tenant_name =”admin”.
This means lbaas plugin is looking for tenant’s ceritifcate in “admin” tenant, which it will never be able to find.
What is the procedure for the lbaas plugin to get hold of the tenant’s certificate?
Assuming “admin” user has access to all tenant’s certificates. Should the lbaas plugin connect to barbican with username=’admin’ and tenant_name = listener’s tenant_name?
Is this, the way forward ? *OR* Am I missing something?
Thanks,
Vijay V.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150915/96860ec1/attachment.html>
More information about the OpenStack-dev
mailing list