On 07/02/2013 10:56 AM, Simo Sorce wrote:
<snip>
If 'access credentials' remain buried (as in they cannot never be
retrieved) in Keystone (or whatever IdM service it bridges to) then it
is probably the right place as it performs authentication anyway and
needs direct access to these credentials internally in some cases.
But Keystone is not the right place to function as storage and retrieval
system for private keys that's barbican's turf.
No disagreement at all from me on this one! :)
So for the nova keypairs I think Keystone is the natural place, as that
information doesn't need strong protection, it's just public keys.
For private keys Keystone wouldn't do, and a URL redirection scheme as
proposed by Jarret makes a lot of sense in this case.
++
-jay
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
