On Thu, Sep 04, 2014 at 05:19:45PM +0000, Coffman, Joel M. wrote:
> A major concern about several encryption features within Nova [1, 2] has been 
> the lack of secure key management. To address this concern, work has been 
> underway to integrate these features with Barbican [3], which can be used to 
> manage encryption keys across OpenStack.
> We request a feature freeze exception be granted to merge this code [3], 
> which is really a shim between the existing key manager interface in Nova and 
> python-barbicanclient, into Nova [4]. The acceptance of this feature will 
> improve the security of cloud users and operators who use the Cinder volume 
> encryption feature [1], which is currently limited to a single, static 
> encryption key for volumes. Cinder has already merged a similar feature [5] 
> following the review of several patch revisions; not accepting the feature in 
> Nova creates a disparity with Cinder in regards to the management of 
> encryption keys.
> As this is an optional feature that introduces very few changes to 
> pre-existing code, the risk of disruption to existing deployments as well as 
> the risk of regression is minimal. The only objection that has very recently 
> been voiced is the implicit dependency on the Barbican service, which does 
> not yet have experimental jobs in Tempest. Other core reviewers, though, 
> believe that the existing unit tests included with the change are sufficient.
> Thank you for taking the time to consider this request.

I sponsor it as it is effectively part of the LVM encryption blueprint
which I've already sponsor. So we should consider FFE for both those
blueprints together, rather than in isolation.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

OpenStack-dev mailing list

Reply via email to