[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

Dolph Mathews dolph.mathews at gmail.com
Tue Apr 12 22:39:43 UTC 2016


On Tue, Apr 12, 2016 at 3:27 PM, Lance Bragstad <lbragstad at gmail.com> wrote:

> Keystone's credential API pre-dates barbican. We started talking about
> having the credential API back to barbican after it was a thing. I'm not
> sure if any work has been done to move the credential API in this
> direction. From a security perspective, I think it would make sense for
> keystone to back to barbican.
>

+1

And regarding the "inappropriate use of keystone," I'd agree... without
this spec, keystone is entirely useless as any sort of alternative to
Barbican:

  https://review.openstack.org/#/c/284950/

I suspect Barbican will forever be a much more mature choice for Magnum.


>
> On Tue, Apr 12, 2016 at 2:43 PM, Hongbin Lu <hongbin.lu at huawei.com> wrote:
>
>> Hi all,
>>
>>
>>
>> In short, some Magnum team members proposed to store TLS certificates in
>> Keystone credential store. As Magnum PTL, I want to get agreements (or
>> non-disagreement) from OpenStack community in general, Keystone community
>> in particular, before approving the direction.
>>
>>
>>
>> In details, Magnum leverages TLS to secure the API endpoint of
>> kubernetes/docker swarm. The usage of TLS requires a secure store for
>> storing TLS certificates. Currently, we leverage Barbican for this purpose,
>> but we constantly received requests to decouple Magnum from Barbican
>> (because users normally don’t have Barbican installed in their clouds).
>> Some Magnum team members proposed to leverage Keystone credential store as
>> a Barbican alternative [1]. Therefore, I want to confirm what is Keystone
>> team position for this proposal (I remembered someone from Keystone
>> mentioned this is an inappropriate use of Keystone. Would I ask for further
>> clarification?). Thanks in advance.
>>
>>
>>
>> [1]
>> https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store
>>
>>
>>
>> Best regards,
>>
>> Hongbin
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160412/ceac8c57/attachment.html>


More information about the OpenStack-dev mailing list