On 04/12/2016 03:43 PM, Hongbin Lu wrote:
Hi all,
In short, some Magnum team members proposed to store TLS certificates
in Keystone credential store. As Magnum PTL, I want to get agreements
(or non-disagreement) from OpenStack community in general, Keystone
community in particular, before approving the direction.
In details, Magnum leverages TLS to secure the API endpoint of
kubernetes/docker swarm. The usage of TLS requires a secure store for
storing TLS certificates.
No it does not.
Nothing required "secure storing of certificates."
What is required is "secure storing of private keys." Period. Nothing
else needs to be securely stored.
Next step is the "signing" of X509 certificates, and this requires a
CA. Barbican is the OpenStack abstraction for a CA, but still requires
a "real" implementation to back to. Dogtag is available for this role.
Now, what Keystone can and should do is provide a way to map an X509
Certificate to a user. This is actually much better done using the
Federation approach than the Credentials store.
Credentials kinda suck. They should die in a fire. They can't, but
they should. Different rant though.
So, to nail it down specifically: Keystone's sole role here is to map
the Subject from an X509 certificate to a user_id. If you try to do
anything more than that with Keystone, you are in a state of sin.
So, if what you want to do is to store an X509 Certificate in the
Keystone Credentials API, go for it, but I don;'t know what it would buy
you, as only the "owner" of that cert would then be able to retrieve it.
If, on the other hand, what you want to do is to decouple the
request/approval of X509 dfrom Barbican, I would suggest you use
Certmonger. It is an Operating system level tool for exactly this
purpose. And then we should make sure that Barbican can act as a CA for
Certmonger (I know that Dogtag can already).
There is nothing Magnum specific about this. We need to solve the Cert
story for OpenStack in general. We need TLS for The Message Broker and
the Database connections as well as any HTTPS servers we have.
Currently, we leverage Barbican for this purpose, but we constantly
received requests to decouple Magnum from Barbican (because users
normally don’t have Barbican installed in their clouds). Some Magnum
team members proposed to leverage Keystone credential store as a
Barbican alternative [1]. Therefore, I want to confirm what is
Keystone team position for this proposal (I remembered someone from
Keystone mentioned this is an inappropriate use of Keystone. Would I
ask for further clarification?). Thanks in advance.
[1]
https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store
Best regards,
Hongbin
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
