On 3/15/17, 6:51 AM, "Julien Danjou" <[email protected]> wrote:
>On Mon, Mar 13 2017, Clint Byrum wrote: > >> To me, Oslo is a bunch of libraries that encompass "the way OpenStack >> does XXXX". When XXXX is key management, projects are, AFAICT, >>universally >> using Castellan at the moment. So I think it fits in Oslo >> conceptually. > >It would be cool if it could rather be "the way you can do XXX in >Python" rather than being too much OpenStack centric. :) > >> As far as what benefit there is to renaming it, the biggest one is >> divesting Castellan of the controversy around Barbican. There's no >> disagreement that explicitly handling key management is necessary. There >> is, however, still hesitance to fully adopt Barbican in that role. In >> fact I heard about some alternatives to Barbican, namely "Vault"[1] and >> "Tang"[2], that may be useful for subsets of the community, or could >> even grow into de facto standards for key management. >> >> So, given that there may be other backends, and the developers would >> like to embrace that, I see value in renaming. It would help, I think, >> Castellan's developers to be able to focus on key management and not >> have to explain to every potential user "no we're not Barbican's cousin, >> we're just an abstraction..". > >I don't think the Castellan name is a problem in itself, because at >least to me it does not sound like it's Barbican specific. I'd prefer it >to be a Python generic library that supports an OpenStack project as one >of its driver. So I'd hate to have it named oslo.foobar. > >As far as moving it under the Oslo library, I understand that the point >would be to make a point stating that this library is not a >Barbican-specific solution etc. I think it addresses the problem in the >wrongŠ but pragmatic way. > >What I think would be more interesting is to rename the _Barbican team_ >to the "People-who-work-on-keychain-stuff team". That team would build 2 >things, which are Barbican and Castellan (and maybe more later). That'd >make more sense than trying to fit everything in Oslo, and would also >help other projects to do the same thing in the future, and, maybe, one >day, alleviate the whole problem. > >Other than that, sure, we can move it to Oslo I guess. :) The Barbican community has always been the "People-who-work-on-key-management-stuff" team. We launched Castellan in 2015 with the explicit purpose of being a generic abstraction for key managers.[1] At that time, we envisioned developing a KMIP plugin to connect directly to an HSM. Currently, the interest level is higher around a plugin for software based secure storage, such as Vault. However, patches for additional plugins have not been forthcoming. Castellan was designed from the ground up to be a generic abstraction, and I, and the rest of the Barbican community, hope to see more driver development for it. If a change of name or governance helps, we're all for it. But, I hope everyone knows there is no push back from the "People-who-work-on-key-management-stuff". We welcome all contributions. In addition, we want the Castellan library to be the go-to library for any project that wants to add key management. It is already used by Nova, Cinder, Glance, Neutron, Octavia, and Magnum. If a change in name or governance helps other projects adopt Castellan, again, we're all for it. In the meantime, we encourage and stand ready to help all adopters. dave-mccowan PTL, "People-who-work-on-key-management-stuff" [1] https://wiki.openstack.org/wiki/Castellan __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
