Open Stack

On Tue, Mar 14, 2017 at 6:17 PM, Clint Byrum <clint at fewbar.com> wrote:
> Excerpts from Davanum Srinivas's message of 2017-03-14 13:04:37 -0400:
>> Team,
>>
>> So one more thing popped up again on IRC:
>> https://etherpad.openstack.org/p/oslo.config_etcd_backend
>>
>> What do you think? interested in this work?
>>
>> Thanks,
>> Dims
>>
>> PS: Between this thread and the other one about Tooz/DLM and
>> os-lively, we can probably make a good case to add etcd as a base
>> always-on service.
>>
>
> This is a cool idea, and I think we should do it.
>
> A few loose ends I'd like to see in a spec:
>
> * Security Security Security. (Hoping if I say it 3 times a real
>   security person will appear and ask the hard questions).

I don't consider myself as a Security expert but in little knowledge:

- etcd v2 API allows authentification:
https://coreos.com/etcd/docs/latest/v2/authentication.html
- etcd supports SSL/TLS as well as authentication through client
certificates, both for clients to server as well as peer (server to
server / cluster) communication

Which sounds pretty secure at this stage, comparing to what we have
now: config files with passwords and secrets everywhere.

> * Explain clearly how operators would inspect, edit, and diff their
>   configs.

That's a good question and we clearly need a tool to query etcd and
grab all parameters + values from a project in particular.
One other aspect that we could see is, thanks to
https://review.openstack.org/#/c/440835/ - we would have a single
interface that expose all parameters in a human readable format
and let operators manage these parameters (through an UI or just by
reading in the file).

-- 
Emilien Macchi