[openstack-dev] [magnum] Streamline adoption of Magnum
Douglas Mendizábal
douglas.mendizabal at rackspace.com
Wed Mar 23 22:50:09 UTC 2016
Comments inline.
- Douglas Mendizábal
On 3/23/16 5:15 PM, Fox, Kevin M wrote:
> So, this is where things start getting a little ugly and undefined... This is what I've been able to gather so far, so please someone correct me if I'm wrong.
>
> Barbican is the OpenStack secret manager. It provides a standard OpenStack api for users to be able store/retrieve secrets... Its plugable and in theory, you could add a vault plugin to it. Barbican is then your abstraction layer.
>
This is absolutely correct, and it's a point that I'm starting to think
is not very well understood outside of the Barbican and Security teams.
Barbican is not in-and-of-itself a key management solution. It
requires some backend to be used where the actual secret storage is
done. This could be a PKCS#11 Hardware Security Module like we use at
Rackspace, or it could be a KMIP HSM, or DogTag, or Hashicorp Vault.
In a similar way in which Keystone can use a deployers existing identity
system, Barbican should be able to use an existing key management
system. So I agree that integrations with other key managers belong in
Barbican as a SecretStore plugin.
> Separate from that, is Castellan. Which is a plugable abstraction library at the client side. So a Vault plugin could be create for it instead.
>
I think Castellan is attractive to projects looking for secure
storage/retrieval of secrets because it superficially avoids a hard
dependency on Barbican. The problem with using Castellan is that
because it's a common-lowest-denominator secret storage it cannot
provide the features that Barbican provides.
One of the features that Barbican provides that Castellan cannot is that
of multi-tenancy. So projects that choose to use Castellan are limited
to a single account on the key manager backend that is chosen at
deployment time. This results in all secrets being "owned" by the
service itself instead of the users they're associated with.
Another feature that Barbican provides that Castellan cannot is that of
Scalability. The PKCS#11 Plugin in Barbican can provide virtually
unlimited storage capacity while still providing the security assurances
of the HSM backend. But when you choose Castellan, you will be limited
by the capacity of the service used in the backend.
And while there is a Castellan->Barbican implementation, it only
provides scalability, but it loses the multi-tenancy.
> My personal preference is to have a standard rest api over having a standard python client api in a cloud. Its more the OpenStack way. I'll leave it up to other sources to get into why a rest api's better.
>
> That being said, there's still the elephant in the room I think of:
>
> How do you securely get a secret to the vm, to allow you to get secrets from the secret store? I've been working on that use case for over a year now with little traction. :/
>
> Either Castellan, Barbican, or talking directly to Vault will have that issue. How do you validate your vm with that service.
>
> The current endeavor to address the situation is located here:
> https://review.openstack.org/#/c/222293/
>
Thanks for fighting the good fight, Kevin. I'm still hopeful that we
can solve this problem.
> We really need to get all the OpenStack projects together and address this issue as a whole. Everyone's now trying or has already worked around it in some not so nice ways. Amazon has had a solution for years now. Why can't we address it?
>
> Thanks,
> Kevin
>
>
>
> ________________________________________
> From: Ian Cordasco [sigmavirus24 at gmail.com]
> Sent: Wednesday, March 23, 2016 2:45 PM
> To: Monty Taylor; OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [magnum] Streamline adoption of Magnum
>
> -----Original Message-----
> From: Monty Taylor <mordred at inaugust.com>
> Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
> Date: March 22, 2016 at 18:49:41
> To: openstack-dev at lists.openstack.org <openstack-dev at lists.openstack.org>
> Subject: Re: [openstack-dev] [magnum] Streamline adoption of Magnum
>
>> On 03/22/2016 06:27 PM, Kevin Carter wrote:
>>> /me wearing my deployer hat now: Many of my customers and product folks
>>> want Magnum but they also want magnum to be as secure and stable as
>>> possible. If Barbican is the best long term solution for the project it
>>> would make sense to me that Magnum remain on course with Barbican as the
>>> defacto way of deploying in production. IMHO building alternative means
>>> for certificate management is a distraction and will only confuse folks
>>> looking to deploy Magnum into production.
>>
>> I'm going to agree. This reminds me of people who didn't want to run
>> keystone back in the day. Those people were a distraction, and placating
>> them hampered OpenStack's progress by probably several years.
>
> Right. Barbican is a good service that is actually necessary for a cloud (see also other similar services announced by the likes of Hashicorp). Magnum relying on it to securely store information makes perfect sense.
>
>>>> Some ops teams are willing to
>>>> adopt a new service, but not two. They only want to add Magnum and not
>>>> Barbican.
>>>
>>> It would seem to me that once the Barbican dependency is well
>>> documented, which it should be at this point, Barbican is be easy to
>>> accept especially with the understanding of why it is needed. Many of
>>> the deployment projects are creating the automation needed to make the
>>> adoption of services simpler and I'd imagine deployment automation is
>>> the largest hurdle to wide spread adoption for both Barbican and Magnum.
>>> If the OPS team you mention does not want both services it would seem
>>> they can use "local file" option; this is similar to Cinder+LVM and
>>> Glance+file_store both of which have scale operational issues in production.
>>
>> Agree.
>
> If it wasn't obvious, I also agree. That said, people will still try to use these to avoid the illusion of additional costs. They tend to ignore the cost of the repercussions of these decisions down the road.
>
>>>> We think that once those operators become familiar with
>>>> Magnum, adding Barbican will follow. In the mean time, we’d like to
>>>> offer a Barbican alternative that allows Magnum to scale beyond one
>>>> conductor, and allows for encrypted storage of TLC credentials needed
>>>> for unattended bay operations.
>>>
>>> If all of this is to simplify or provide for the developer/"someone
>>> kicking the tires" use case I'd imagine the "local file" storage would
>>> be sufficient. If the acceptance of Barbican is too much to handle or
>>> introduce into an active deployment (I'm not sure why that would be
>>> especially if they're adding Magnum), the synchronization of locally
>>> stored certificates across multiple hosts is manageable and can be
>>> handled by a very long list of other pre-existing operational means.
>
> Right, they may be using any of the other recently announced services created and provided by other groups.
>
>>>> A blueprint [2] was recently proposed to
>>>> address this. We discussed this in our team meeting today [3], where we
>>>> used an etherpad [4] to collaborate on options that could be used as
>>>> alternatives besides the ones offered today. This thread is not intended
>>>> to answer how to make Barbican easier to adopt, but rather how to make
>>>> Magnum easier to adopt while keeping Barbican as the default
>>>> best-practice choice for certificate storage.
>>>
>>> I'd like there _NOT_ to be an "easy button" way for operators to hang
>>> themselves in production by following a set of "quick start
>>> instructions" under the guise of "easy to adopt". If Barbican is the
>>> best-practice lets keep it that way. If for some reason Barbican is hard
>>> to adopt lets identify those difficulties and get them fixed. Going down
>>> the path of NIH or alternative less secure solutions because someone
>>> (not identified here or speaking for themselves) has said they don't
>>> want Barbican or deploying it is hard seems like a recipe for
>>> fragmentation and disaster.
>>
>> Agree.
>
> Perhaps, if the problem is less that two new services is problematic and the real problem is one (or some combination) of:
>
> - Magnum and Barbican's dependency is poorly (if at all) documented
> - Magnum and Barbican don't have documentation to deploy the services
> - Magnum should support a variety of services like Barbican (e.g., adding support for Vault)
>
> There are things that can be done. One thing is writing documentation. Another would be a driver for Vault or any other service the community might want. (Which is not to imply that there is a desire to rely on those, just that those are services that might be easier for our hypothetical operators to deploy.)
>
> --
> Ian Cordasco
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160323/89012ed0/attachment.pgp>
More information about the OpenStack-dev
mailing list