[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

Lance Bragstad lbragstad at gmail.com
Tue Apr 12 20:27:03 UTC 2016


Keystone's credential API pre-dates barbican. We started talking about
having the credential API back to barbican after it was a thing. I'm not
sure if any work has been done to move the credential API in this
direction. From a security perspective, I think it would make sense for
keystone to back to barbican.

On Tue, Apr 12, 2016 at 2:43 PM, Hongbin Lu <hongbin.lu at huawei.com> wrote:

> Hi all,
>
>
>
> In short, some Magnum team members proposed to store TLS certificates in
> Keystone credential store. As Magnum PTL, I want to get agreements (or
> non-disagreement) from OpenStack community in general, Keystone community
> in particular, before approving the direction.
>
>
>
> In details, Magnum leverages TLS to secure the API endpoint of
> kubernetes/docker swarm. The usage of TLS requires a secure store for
> storing TLS certificates. Currently, we leverage Barbican for this purpose,
> but we constantly received requests to decouple Magnum from Barbican
> (because users normally don’t have Barbican installed in their clouds).
> Some Magnum team members proposed to leverage Keystone credential store as
> a Barbican alternative [1]. Therefore, I want to confirm what is Keystone
> team position for this proposal (I remembered someone from Keystone
> mentioned this is an inappropriate use of Keystone. Would I ask for further
> clarification?). Thanks in advance.
>
>
>
> [1]
> https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store
>
>
>
> Best regards,
>
> Hongbin
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160412/675d2296/attachment.html>


More information about the OpenStack-dev mailing list