[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

Fox, Kevin M Kevin.Fox at pnnl.gov
Wed Apr 13 16:51:31 UTC 2016


For evaluation, you should be able to throw it on a single machine with the file backend and skip barbican. Why do you need to do a partially hardened config? (magnum ha but insecure)

Thanks
Kevin
________________________________________
From: Clayton O'Neill [clayton at oneill.net]
Sent: Wednesday, April 13, 2016 7:37 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

On Wed, Apr 13, 2016 at 10:26 AM, rezroo <openstack at roodsari.us> wrote:
> Hi Kevin,
>
> I understand that this is how it is now. My question is how bad would it be
> to wrap the Barbican client library calls in another class and claim, for
> all practical purposes, that Magnum has no direct dependency on Barbican?
> What is the negative of doing that?
>
> Anyone who wants to use another mechanism should be able to do that with a
> simple change to the Magnum conf file. Nothing more complicated. That's the
> essence of my question.

For us, the main reason we’d want to be able to deploy without
Barbican is mostly to lower the initial barrier of entry.  We’re not
running anything else that would require Barbican for a multi-node
deployment, so for us to do a realistic evaluation of Magnum, we’d
have to get two “new to us” services up and running in a development
environment.  Since we’re not running Barbican or Magnum, that’s a big
time commitment for something we don’t really know if we’d end up
using.  From that perspective, something that’s less secure might be
just fine in the short term.  For example, I’d be completely fine with
storing certificates in the Magnum database as part of an evaluation,
knowing I had to switch from that before going to production.

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list