[openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)

Eric Harney eharney at redhat.com
Mon Jan 4 16:03:22 UTC 2016

On 01/04/2016 10:46 AM, Farr, Kaitlin M. wrote:
>> The fixed key manager is useful for easy testing (we're using it in the
>> gate in places where barbican isn't available). Is there anything
>> equivalent with Catellan?
>>         -Sean
>> --
>> Sean Dague
>> http://dague.net
> There is no fixed-key back end with Castellan. I agree that using a
> fixed key makes for very easy testing, but the tests use a
> configuration (ConfKeyManager) that should not be used in deployment.
> The tests could be made much more useful if they used a more realistic
> configuration (Barbican).
> Adding a gate that tests using DevStack with Barbican enabled would
> be a more valuable than the existing tests for two reasons:
>  1. ConfKeyManager could be removed.
>  2. It would test the feature configured more closely to how a
>     deployment would actually look.
> As part of this change to deprecate ConfKeyManager and integrate
> Castellan, I would like to add this new gate.
>  -Kaitlin

Aiming toward tests that mirror real-world deployment is certainly a
good thing, but I don't think we should remove ConfKeyManager.

We will want to maintain the ability to test these Cinder/Nova code
paths in development environments or in some automated environments
without requiring additional services to be configured.

We can address this by having ConfKeyManager emit warning messages
indicating that it isn't for production environments.


More information about the OpenStack-dev mailing list