Ian Cordasco <sigmaviru...@gmail.com> writes: > On Tue, Mar 21, 2017 at 6:10 PM, James E. Blair <cor...@inaugust.com> wrote: >> We did talk about some other options, though unfortunately it doesn't >> look like a lot of that made it into the spec reviews. Among them, it's >> probably worth noting that there's nothing preventing a Zuul deployment >> from relying on some third-party secret system -- if you can use it with >> Ansible, you should be able to use it with Zuul. But we also want Zuul >> to have these features out of the box, and, wearing our sysadmin hits, >> we're really keen on having source control and code review for the >> system secrets for the OpenStack project. >> >> Vault alone doesn't meet our requirements here because it relies on >> symmetric encryption, which means we need users to share a key with >> Zuul, implying an extra service with out-of-band authn/authz. However, >> we *could* use our PKCS#1 style system to share a vault key with Zuul. >> I don't think that has come up as a suggestion yet, but seems like it >> would work. > > I suppose Barbican doesn't meet those requirements either, then, yes?
Right -- we don't want to require another service or tie Zuul to an authn/authz system for a fundamental feature. However, I do think we can look at making integration with Barbican and similar systems an option for folks who have such an installation and prefer to use it. -Jim __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev