Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Why would we not want to include a fixed-key backend in Castellan? As long as we make it clear that the fixed-key implementation is insecure and should not be used in production systems I see no harm in including it as part of the Castellan package. In fact, I think it would ease the ramp up time for potential Castellan adopters. If we included a fixed-key impl, then someone could just pip install castellan and start kicking tires in the repl. Otherwise someone who is merely evaluating Castellan would have to go down the path of standing up a Barbican instance. - - Douglas Mendizábal On 1/5/16 3:58 PM, Farr, Kaitlin M. wrote: >>> Aiming toward tests that mirror real-world deployment is >>> certainly a good thing, but I don't think we should remove >>> ConfKeyManager. >>> >>> We will want to maintain the ability to test these Cinder/Nova >>> code paths in development environments or in some automated >>> environments without requiring additional services to be >>> configured. >>> >>> We can address this by having ConfKeyManager emit warning >>> messages indicating that it isn't for production environments. >> >> Right, effectively the fixed key manager was a Testing Fixture >> for us. That's really important because it reduces the number of >> moving parts when testing this stuff as a full stack. >> >> -Sean > > Ok, I am looking into a way to keep a fixed-key back end, but it > will not live in Castellan. > > Even if we keep the fixed-key back end, what about adding a gate > that tests the encryption features using Barbican? Would the > community be supportive if I added that gate? > > Kaitlin > > __ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJWjE8zAAoJEB7Z2EQgmLX7kq4QAIrWs0SlX7ELbrA8XDH3Dfzd X3Omc32/4b7WbQhF9qu7hmZeGDLBwAg9mSpqEATz7YQJdfEu9DN3WdPnWwsx8JiJ N0FQUPxo5QcsZGnVMnLZezTPJ7cB+NNpDDb7VWU5gKwwNVgRvCJRv6XZ5lXo9SEP sg6pE7xwBmT3pwIunWh6WIBpDSzmr/87bPUgkLHb30+grv9GlnHiGvaIc9VOF7Nc wISFIryn1uqJAfHd0j268KpueM9JLs0fP3raWthJ/xqT7iUKgpp0iIeM0HsEj6D5 UHZqcBAtbhMED/8NuMfIJlXK0i8lTjp6omrBJQM81NeukCeLRZRqoJM1NuvjoaiY eRUyk3W2tMJcfoowFxWkWFBU7/cxWkXhZmbDAUrJ55KdkewBs6Uuz/lJmUGe4sCI pn8ROv7jAnTyZdVnRn5ybggTjAEl7Ug8DAu7RRxm06BWtbHgtmBhBQZTDDfRDIUl KSX1JnP0Js7+GDm/inA/FrYSvQwB+m/bbR86evP8izVGXNF6GhjgBkmtL5GABGqr sa8UbG8EtMZ+3mPpXlNoFvkptKbay0mpECW86srbXTrDS8W7Licrv6mZ4mn3NjOr HYgcPp/KoHVn1hmiFcNqH+5Y9N6Wh9Vs+hXwgsBG754WpsTc+qi/FjTSjr8RSZyA ZS2CXxni08/U5xQ/tNqE =hy9D -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
>> Aiming toward tests that mirror real-world deployment is certainly a >> good thing, but I don't think we should remove ConfKeyManager. >> >> We will want to maintain the ability to test these Cinder/Nova code >> paths in development environments or in some automated environments >> without requiring additional services to be configured. >> >> We can address this by having ConfKeyManager emit warning messages >> indicating that it isn't for production environments. > > Right, effectively the fixed key manager was a Testing Fixture for us. > That's really important because it reduces the number of moving parts > when testing this stuff as a full stack. > > -Sean Ok, I am looking into a way to keep a fixed-key back end, but it will not live in Castellan. Even if we keep the fixed-key back end, what about adding a gate that tests the encryption features using Barbican? Would the community be supportive if I added that gate? Kaitlin __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
On 1/4/2016 10:03 AM, Eric Harney wrote: On 01/04/2016 10:46 AM, Farr, Kaitlin M. wrote: The fixed key manager is useful for easy testing (we're using it in the gate in places where barbican isn't available). Is there anything equivalent with Catellan? -Sean -- Sean Dague http://dague.net There is no fixed-key back end with Castellan. I agree that using a fixed key makes for very easy testing, but the tests use a configuration (ConfKeyManager) that should not be used in deployment. The tests could be made much more useful if they used a more realistic configuration (Barbican). Adding a gate that tests using DevStack with Barbican enabled would be a more valuable than the existing tests for two reasons: 1. ConfKeyManager could be removed. 2. It would test the feature configured more closely to how a deployment would actually look. As part of this change to deprecate ConfKeyManager and integrate Castellan, I would like to add this new gate. -Kaitlin Aiming toward tests that mirror real-world deployment is certainly a good thing, but I don't think we should remove ConfKeyManager. We will want to maintain the ability to test these Cinder/Nova code paths in development environments or in some automated environments without requiring additional services to be configured. We can address this by having ConfKeyManager emit warning messages indicating that it isn't for production environments. Thanks, Eric __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev Note that at least in nova, the single key manager already emits a warning when used [1]. [1] https://github.com/openstack/nova/commit/97d63d8745cd9b3b391ce96b94b4da263b3a053d#L40 -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
On 01/04/2016 11:03 AM, Eric Harney wrote: > On 01/04/2016 10:46 AM, Farr, Kaitlin M. wrote: >>> The fixed key manager is useful for easy testing (we're using it in the >>> gate in places where barbican isn't available). Is there anything >>> equivalent with Catellan? >>> >>> -Sean >>> >>> -- >>> Sean Dague >>> http://dague.net >> >> There is no fixed-key back end with Castellan. I agree that using a >> fixed key makes for very easy testing, but the tests use a >> configuration (ConfKeyManager) that should not be used in deployment. >> The tests could be made much more useful if they used a more realistic >> configuration (Barbican). >> >> Adding a gate that tests using DevStack with Barbican enabled would >> be a more valuable than the existing tests for two reasons: >> >> 1. ConfKeyManager could be removed. >> 2. It would test the feature configured more closely to how a >> deployment would actually look. >> >> As part of this change to deprecate ConfKeyManager and integrate >> Castellan, I would like to add this new gate. >> >> -Kaitlin >> > > Aiming toward tests that mirror real-world deployment is certainly a > good thing, but I don't think we should remove ConfKeyManager. > > We will want to maintain the ability to test these Cinder/Nova code > paths in development environments or in some automated environments > without requiring additional services to be configured. > > We can address this by having ConfKeyManager emit warning messages > indicating that it isn't for production environments. Right, effectively the fixed key manager was a Testing Fixture for us. That's really important because it reduces the number of moving parts when testing this stuff as a full stack. -Sean -- Sean Dague http://dague.net __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
On 01/04/2016 10:46 AM, Farr, Kaitlin M. wrote: >> The fixed key manager is useful for easy testing (we're using it in the >> gate in places where barbican isn't available). Is there anything >> equivalent with Catellan? >> >> -Sean >> >> -- >> Sean Dague >> http://dague.net > > There is no fixed-key back end with Castellan. I agree that using a > fixed key makes for very easy testing, but the tests use a > configuration (ConfKeyManager) that should not be used in deployment. > The tests could be made much more useful if they used a more realistic > configuration (Barbican). > > Adding a gate that tests using DevStack with Barbican enabled would > be a more valuable than the existing tests for two reasons: > > 1. ConfKeyManager could be removed. > 2. It would test the feature configured more closely to how a > deployment would actually look. > > As part of this change to deprecate ConfKeyManager and integrate > Castellan, I would like to add this new gate. > > -Kaitlin > Aiming toward tests that mirror real-world deployment is certainly a good thing, but I don't think we should remove ConfKeyManager. We will want to maintain the ability to test these Cinder/Nova code paths in development environments or in some automated environments without requiring additional services to be configured. We can address this by having ConfKeyManager emit warning messages indicating that it isn't for production environments. Thanks, Eric __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
> The fixed key manager is useful for easy testing (we're using it in the > gate in places where barbican isn't available). Is there anything > equivalent with Catellan? > > -Sean > > -- > Sean Dague > http://dague.net There is no fixed-key back end with Castellan. I agree that using a fixed key makes for very easy testing, but the tests use a configuration (ConfKeyManager) that should not be used in deployment. The tests could be made much more useful if they used a more realistic configuration (Barbican). Adding a gate that tests using DevStack with Barbican enabled would be a more valuable than the existing tests for two reasons: 1. ConfKeyManager could be removed. 2. It would test the feature configured more closely to how a deployment would actually look. As part of this change to deprecate ConfKeyManager and integrate Castellan, I would like to add this new gate. -Kaitlin __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
On 12/30/2015 03:23 PM, Farr, Kaitlin M. wrote: > All, > > Please reply or send me an email if you are using the ConfKeyManager > (fixed-key key manager) in deployment for volume encryption or > ephemeral storage encryption. You can check this by looking at the > [keymgr] section, api_class entry of nova.conf or cinder.conf. The > ConfKeyManager was only intended for testing and I am working on > deprecating it. I would like to gauge the number of people using > that backend, because it may affect the deprecation strategy. > > This is the start of the effort to replace the duplicated key manager > code with Castellan [1], a key manager interface library that allows > the user to swap out different backends, such as Barbican. While > Castellan is based on the key managers built into Nova and Cinder, it > does not have the fixed-key backend. That backend is insecure. A single > key is used for all volumes. If the key is compromised, all of the > encrypted data is easily decrypted. See Joel Coffman's comments on the > Nova spec [2]. Deprecating the fixed-key key manager would need to > occur before Castellan is integrated. > > Again, please let me know if you use the ConfKeyManager and you > actively use the volume encryption and encrypted cinder volume features > in a deployment > > Other feedback is also welcome. > > I am also creating a separate thread with this info on the operators > mailing list. > > Thanks, > > Kaitlin Farr > > 1. Castellan source code. https://github.com/openstack/castellan > 2. Castellan integration Nova spec. https://review.openstack.org/#/c/247561/ > 3. Castellan integration Cinder spec. https://review.openstack.org/#/c/247577/ The fixed key manager is useful for easy testing (we're using it in the gate in places where barbican isn't available). Is there anything equivalent with Catellan? -Sean -- Sean Dague http://dague.net __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)
All, Please reply or send me an email if you are using the ConfKeyManager (fixed-key key manager) in deployment for volume encryption or ephemeral storage encryption. You can check this by looking at the [keymgr] section, api_class entry of nova.conf or cinder.conf. The ConfKeyManager was only intended for testing and I am working on deprecating it. I would like to gauge the number of people using that backend, because it may affect the deprecation strategy. This is the start of the effort to replace the duplicated key manager code with Castellan [1], a key manager interface library that allows the user to swap out different backends, such as Barbican. While Castellan is based on the key managers built into Nova and Cinder, it does not have the fixed-key backend. That backend is insecure. A single key is used for all volumes. If the key is compromised, all of the encrypted data is easily decrypted. See Joel Coffman's comments on the Nova spec [2]. Deprecating the fixed-key key manager would need to occur before Castellan is integrated. Again, please let me know if you use the ConfKeyManager and you actively use the volume encryption and encrypted cinder volume features in a deployment Other feedback is also welcome. I am also creating a separate thread with this info on the operators mailing list. Thanks, Kaitlin Farr 1. Castellan source code. https://github.com/openstack/castellan 2. Castellan integration Nova spec. https://review.openstack.org/#/c/247561/ 3. Castellan integration Cinder spec. https://review.openstack.org/#/c/247577/ __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev