[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates
Adam Young
ayoung at redhat.com
Wed Apr 13 16:01:33 UTC 2016
On 04/12/2016 03:43 PM, Hongbin Lu wrote:
>
> Hi all,
>
> In short, some Magnum team members proposed to store TLS certificates
> in Keystone credential store. As Magnum PTL, I want to get agreements
> (or non-disagreement) from OpenStack community in general, Keystone
> community in particular, before approving the direction.
>
> In details, Magnum leverages TLS to secure the API endpoint of
> kubernetes/docker swarm. The usage of TLS requires a secure store for
> storing TLS certificates.
>
No it does not.
Nothing required "secure storing of certificates."
What is required is "secure storing of private keys." Period. Nothing
else needs to be securely stored.
Next step is the "signing" of X509 certificates, and this requires a
CA. Barbican is the OpenStack abstraction for a CA, but still requires
a "real" implementation to back to. Dogtag is available for this role.
Now, what Keystone can and should do is provide a way to map an X509
Certificate to a user. This is actually much better done using the
Federation approach than the Credentials store.
Credentials kinda suck. They should die in a fire. They can't, but
they should. Different rant though.
So, to nail it down specifically: Keystone's sole role here is to map
the Subject from an X509 certificate to a user_id. If you try to do
anything more than that with Keystone, you are in a state of sin.
So, if what you want to do is to store an X509 Certificate in the
Keystone Credentials API, go for it, but I don;'t know what it would buy
you, as only the "owner" of that cert would then be able to retrieve it.
If, on the other hand, what you want to do is to decouple the
request/approval of X509 dfrom Barbican, I would suggest you use
Certmonger. It is an Operating system level tool for exactly this
purpose. And then we should make sure that Barbican can act as a CA for
Certmonger (I know that Dogtag can already).
There is nothing Magnum specific about this. We need to solve the Cert
story for OpenStack in general. We need TLS for The Message Broker and
the Database connections as well as any HTTPS servers we have.
> Currently, we leverage Barbican for this purpose, but we constantly
> received requests to decouple Magnum from Barbican (because users
> normally don’t have Barbican installed in their clouds). Some Magnum
> team members proposed to leverage Keystone credential store as a
> Barbican alternative [1]. Therefore, I want to confirm what is
> Keystone team position for this proposal (I remembered someone from
> Keystone mentioned this is an inappropriate use of Keystone. Would I
> ask for further clarification?). Thanks in advance.
>
> [1]
> https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store
>
> Best regards,
>
> Hongbin
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160413/94cecb8a/attachment-0001.html>
More information about the OpenStack-dev
mailing list