[openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
Douglas Mendizábal
douglas.mendizabal at rackspace.com
Tue Jan 5 23:18:15 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Why would we not want to include a fixed-key backend in Castellan? As
long as we make it clear that the fixed-key implementation is insecure
and should not be used in production systems I see no harm in
including it as part of the Castellan package.
In fact, I think it would ease the ramp up time for potential
Castellan adopters. If we included a fixed-key impl, then someone
could just pip install castellan and start kicking tires in the repl.
Otherwise someone who is merely evaluating Castellan would have to go
down the path of standing up a Barbican instance.
- - Douglas Mendizábal
On 1/5/16 3:58 PM, Farr, Kaitlin M. wrote:
>>> Aiming toward tests that mirror real-world deployment is
>>> certainly a good thing, but I don't think we should remove
>>> ConfKeyManager.
>>>
>>> We will want to maintain the ability to test these Cinder/Nova
>>> code paths in development environments or in some automated
>>> environments without requiring additional services to be
>>> configured.
>>>
>>> We can address this by having ConfKeyManager emit warning
>>> messages indicating that it isn't for production environments.
>>
>> Right, effectively the fixed key manager was a Testing Fixture
>> for us. That's really important because it reduces the number of
>> moving parts when testing this stuff as a full stack.
>>
>> -Sean
>
> Ok, I am looking into a way to keep a fixed-key back end, but it
> will not live in Castellan.
>
> Even if we keep the fixed-key back end, what about adding a gate
> that tests the encryption features using Barbican? Would the
> community be supportive if I added that gate?
>
> Kaitlin
>
> ______________________________________________________________________
____
>
>
OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWjE8zAAoJEB7Z2EQgmLX7kq4QAIrWs0SlX7ELbrA8XDH3Dfzd
X3Omc32/4b7WbQhF9qu7hmZeGDLBwAg9mSpqEATz7YQJdfEu9DN3WdPnWwsx8JiJ
N0FQUPxo5QcsZGnVMnLZezTPJ7cB+NNpDDb7VWU5gKwwNVgRvCJRv6XZ5lXo9SEP
sg6pE7xwBmT3pwIunWh6WIBpDSzmr/87bPUgkLHb30+grv9GlnHiGvaIc9VOF7Nc
wISFIryn1uqJAfHd0j268KpueM9JLs0fP3raWthJ/xqT7iUKgpp0iIeM0HsEj6D5
UHZqcBAtbhMED/8NuMfIJlXK0i8lTjp6omrBJQM81NeukCeLRZRqoJM1NuvjoaiY
eRUyk3W2tMJcfoowFxWkWFBU7/cxWkXhZmbDAUrJ55KdkewBs6Uuz/lJmUGe4sCI
pn8ROv7jAnTyZdVnRn5ybggTjAEl7Ug8DAu7RRxm06BWtbHgtmBhBQZTDDfRDIUl
KSX1JnP0Js7+GDm/inA/FrYSvQwB+m/bbR86evP8izVGXNF6GhjgBkmtL5GABGqr
sa8UbG8EtMZ+3mPpXlNoFvkptKbay0mpECW86srbXTrDS8W7Licrv6mZ4mn3NjOr
HYgcPp/KoHVn1hmiFcNqH+5Y9N6Wh9Vs+hXwgsBG754WpsTc+qi/FjTSjr8RSZyA
ZS2CXxni08/U5xQ/tNqE
=hy9D
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list