Hi Ihar,
So that decision was indeed hastily done but I still think it was the right
one. Let me break down the reasons:
1) To use the local cert manager, the API would have to accept the raw secrets
(certificate, private key, etc). We'd have to store that some place, but it
would have been explicitly documented that the local cert manager was an
insecure option and should not be used in a production environment. So that's
not a huge deal, but still a factor. Without these fields, the local cert
manager is useless because a user can't store anything.
2) If #1 was allowed then the listener would have to accept those fields along
with a tls_container_id. That in itself can be confusing, but it could be
overcome with documentation.
3) If barbican was in use then it would be expected that the neutron-lbaas API
would accept the raw secrets, and then its up to the system to store those
secrets in barbican. Who should those secrets be owned by?
a) If we make them owned by the user then you run into the issue of
them re-using the secrets in some other system. What happens when the user
deletes the listener that the secrets were originally created for?
b) If we make them owned by the system then a user can't reuse the same
secrets, which is a big reason to use barbican.
4) Time. The options above could definitely have been done, but along with not
being clear as to which is the best option (if there is one), there wasn't much
time to actually implement them.
So given all of that, I think defaulting to barbican was the lesser of many
evils. LBaaS v2 is marked as experimental in the docs so that gives us some
leeway to make some backwards incompatible changes, though the options above
wouldn't be backwards incompatible. It's still a signal to users/operators
that its experimental.
Thanks,
Brandon
________________________________________
From: Ihar Hrachyshka <[email protected]>
Sent: Thursday, April 9, 2015 10:29 AM
To: openstack-dev
Subject: [openstack-dev] [neutron][lbaas][barbican] default certificate manager
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi lbaas folks,
I've realized recently that the default certificate manager for lbaas
advanced service is now barbican based. Does it mean that to make
default configuration working as is, users will need to deploy
barbican service? If that's really the case, the default choice seems
to be unfortunate. I think it would be better not to rely on external
service in default setup, using local certificate manager.
Is there a particular reason behind the default choice?
Thanks,
/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVJprKAAoJEC5aWaUY1u57OEcIANdh8uBUcHKxBqjYFwQWoJRx
jLLlH6uxivP3i9nBiYFTZG8uwFhwCzL5rl9uatB7+Wsu41uOTJZeUlCM4dN+xOIz
J9KujLv1oGD/FvgpVGP/arJ6SoCeiINmezwQAziid6dmtH1iYePFCCTCJedbMmND
KampF+RXmHIwXvwVN1jK/tDfGsMHOoGKjy4jmgw48jBWFch1PBWQnRn4ooxZDbmI
VGQvSbpDwkQ3+N3ELZHx0m7l9kGmRKQl/8Vwml6pJKtcrGObkQGGGPeTPYj8Y/NO
Peht83x+HkrIupXZpkm3ybyHWSQdJw+RdKquGWKPTrcNGL1zZTl46rHWF79rhxA=
=C8+6
-----END PGP SIGNATURE-----
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
