[openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
douglas.mendizabal at rackspace.com
Tue Jan 5 23:18:15 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Why would we not want to include a fixed-key backend in Castellan? As
long as we make it clear that the fixed-key implementation is insecure
and should not be used in production systems I see no harm in
including it as part of the Castellan package.
In fact, I think it would ease the ramp up time for potential
Castellan adopters. If we included a fixed-key impl, then someone
could just pip install castellan and start kicking tires in the repl.
Otherwise someone who is merely evaluating Castellan would have to go
down the path of standing up a Barbican instance.
- - Douglas Mendizábal
On 1/5/16 3:58 PM, Farr, Kaitlin M. wrote:
>>> Aiming toward tests that mirror real-world deployment is
>>> certainly a good thing, but I don't think we should remove
>>> We will want to maintain the ability to test these Cinder/Nova
>>> code paths in development environments or in some automated
>>> environments without requiring additional services to be
>>> We can address this by having ConfKeyManager emit warning
>>> messages indicating that it isn't for production environments.
>> Right, effectively the fixed key manager was a Testing Fixture
>> for us. That's really important because it reduces the number of
>> moving parts when testing this stuff as a full stack.
> Ok, I am looking into a way to keep a fixed-key back end, but it
> will not live in Castellan.
> Even if we keep the fixed-key back end, what about adding a gate
> that tests the encryption features using Barbican? Would the
> community be supportive if I added that gate?
OpenStack Development Mailing List (not for usage questions)
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the OpenStack-dev