[openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas

Douglas Mendizábal douglas.mendizabal at rackspace.com
Mon Sep 21 16:57:43 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I'm not familiar with the low level details of the lbass
implementation, so hopefully someone from the lbass team will be able
to answer this.

The URL I sent last week for the API docs has been updated though.
Here's the current URL:

http://docs.openstack.org/developer/barbican/api/index.html

- - Douglas

On 9/21/15 11:41 AM, Varun Lodaya wrote:
> Hey Douglas,
> 
> Thanks for the reply. Will look into barbican ACLs and test it out.
> Also, had 1 more follow up questionŠ 1) Currently the HAProxy LBaaS
> instance sits on the controller. The certificate download happens
> on the controller too. 2) Once we move to service-vm model, where
> service-vms could reside on compute hypervisors, where will the
> cert download happen? Still on controller in the flow?
> 
> Thanks, Varun
> 
> On 9/18/15, 10:53 PM, "Douglas Mendizábal" 
> <douglas.mendizabal at rackspace.com> wrote:
> 
>> * PGP Signed by an unknown key
>> 
>> Hi Varun,
>> 
>> I believe the expected workflow for this use case is:
>> 
>> 1. User uploads cert + key to Barbican 2. User grants lbass
>> access to the barbican certificate container using the ACL API
>> [1] 3. User requests tls container by providing Barbican
>> container reference
>> 
>> Since the user grants the lbass user access in step 2, the token 
>> generated using the conf file credentials will be accepted by
>> Barbican and the certificate will be made available to lbass.
>> 
>> - Douglas Mendizábal
>> 
>> [1]
>> http://docs.openstack.org/developer/barbican/api/quickstart/acls.htm
>>
>> 
l
>> 
>> On 9/19/15 12:13 AM, Varun Lodaya wrote:
>>> Hi Guys,
>>> 
>>> With lbaasv2, I noticed that when we try to associate tls 
>>> containers with lbaas listeners, lbaas tries to validate the 
>>> container and while doing so, tries to get keystone token based
>>> on tenant/user credentials in neutron.conf file. However, the
>>> barbican containers could belong to different users in
>>> different tenants, in that case, container look up would always
>>> fail? Am I missing something?
>>> 
>>> Thanks, Varun
>>> 
>>> 
>>> ____________________________________________________________________
__
>>
>>> 
____
>>> 
>>> 
>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: 
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe 
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>>> 
* Unknown Key
>> * 0x2098B5FB(L)
>> 
>> _____________________________________________________________________
_____
>>
>> 
OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>> 
> 
> ______________________________________________________________________
____
>
> 
OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWADcHAAoJEB7Z2EQgmLX7Me8QAJ1gTTMecCoWZBReLe+k5t98
8YIdoMjWgcavVTB+v08r5UYlsyLb5CkUQdWVagb+af9fQFThGvrEZKycffI078cb
KoNW/ow0MQTTBEhrVDr2x800NuG3uitUAFKdNfPkhiB+4NWXrRnlIYD+XVMAJQ0L
2n7PFIC/F2VckSdUofhTJwAYBVGTRS/OL1G6dsxKh1LD3DEswKxyXb7TgVKaI2AO
os5z0BRCiP4Y1Dl+vLN9C4Hj5/juFF9aVe8wmNTCwUUb/auXhjhNiy75BKmNwu1r
kL2iPBCjjFFhx4JItZ/WJFhdGkceG+F5C4TeqJM7SUPM7SNXlXbhi2sTeb+WxvQE
SjrdjEiRlzM/JCzsj1s634TwgJvLPmmRhxVnOgVm1mlXwgPaAk7b8PMXDik1Wkrq
JzIorRb83XnV14yoJAh7kOrxxOlnB1UjnYh7YPr0KwYACkP8QQFkXxuzcePGUkOa
cLDmu3kfofASOQEpLsbbn2Eu9/FIzwvJDXVbdr/nDYtzDUJiBi6AitMVal0H7kJs
0IdXZcaR7vt73Ln9RPCr6+3nMC57odB06cgDalLeG1Kn5pPY/MWkYZol7d+v2H7y
c+nN7tAGaCsLzyhnhUffvns/ogSjTTW+JH2tfVDwf2pSTQhPvppcXBGXi8w95Ood
KFZ5W9p/tAP4BEsWGNtS
=6fJ9
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list