On 12/04/2016 18:37, "Jeremy Stanley" wrote:
>On 2016-04-01 15:50:57 + (+), Hayes, Graham wrote:
>> If a team has already done a TA (e.g. as part of an internal
>> product TA) (and produced all the documentation) would this meet
>> the requirements?
>>
>> I ask, as
Thanks Matt, Michael,
To start with, lets look quickly at the more recent OSSNs that are marked as
work in progress, namely 63,64,65 and 66 – these should all be published within
a week or so.
Looking further back we have the more difficult OSSNs 50 and 51, I’m not 100%
sure what the blockers
Hi Guys,
OSSN-0064 is in review and requires some Keystone love.
https://review.openstack.org/#/c/300091/
In relation to:
https://bugs.launchpad.net/ossn/+bug/1545789
Cheers
-Rob
__
OpenStack Development Mailing List (not
Hi all,
As per yesterday’s meeting[1], it seems more sensible to create a standing
agenda rather than using a new ether pad for each meeting.
The standing agenda is available here:
https://etherpad.openstack.org/p/security-agenda
Please bookmark this and add topics you’d like to discuss
Hi All,
We’ve had lots of discussion about BYOK and most of it has lead to “lets
discuss it at the summit”.
I’ve got some time for this in the security schedule, I’m checking – is there
some other place where this is already tabled to be discussed?
-Rob
Thanks Steve, Mike,
We’ve had a lot more traction with this latest incarnation of TA. I’m
very much looking forward to working through the process with the
wider community.
-Rob
On 31/03/2016 20:44, "Steven Dake (stdake)" wrote:
>Including tc and kolla
>
>Michael,
>
Hi Guys,
Please take a few minutes to add ideas to
https://etherpad.openstack.org/p/security-newton-summit-brainstorm
These don’t have to be things you want to lead, just things you think would be
valuable
-Rob
__
At the risk of muddying the waters further, I recently chatted with some of you
about Anchor, it's an ephemeral PKI system setup to provide private community
PKI - certificate services for internal systems, a lot like k8 pods.
An overview of why revocation doesn't work very well in many cases
I thought that a big part of the use case with Magnum + Barbican was
Certificate management for Bays?
-Rob
From: "Dave McCowan (dmccowan)"
Reply-To: OpenStack List
Date: Saturday, 19 March 2016 14:56
To: OpenStack List
Subject: Re: [openstack-dev] [magnum] High Availability
The most basic
I'm announcing my candidacy for PTL of the Security project during the
Newton release cycle.
As one of the founders of the Security project I believe I have a strong
base from which to continue developing and enhancing security within
OpenStack.
The security project has taken great strides
https://etherpad.openstack.org/p/security-20160225-agenda
Cheers
-Rob
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
+1 For security too, this exactly mirrors our experience.
From: Duncan Thomas [mailto:duncan.tho...@gmail.com]
Sent: 24 February 2016 12:55
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [all] A proposal to separate the design summit
On 22
+1
Doing this, and doing this well, provides critical functionality to OpenStack
while keeping said functionality reasonably decoupled from the COE API vagaries
that would inevitably encumber a solution that sought to provide ‘one api to
control them all’.
-Rob
From: Mike Metral
Reply-To:
I’m pretty new to openstack-ansible-security but based on my use cases which
are as much
About using this for verification as they are for building secure boxes my
preference
would be 3) Use an Ansible callback plugin to catch these and print them at the
end of the
playbook run
-Rob
On
Hi all,
As the vast majority of the Security Project members are US based we are
cancelling the IRC meeting tomorrow.
I’ll send out an ether pad agenda early next week and we can catch up then!
Kind Regards
-Rob
__
> -Original Message-
> From: Adam Young [mailto:ayo...@redhat.com]
> Sent: 02 November 2015 20:54
> To: openstack-dev@lists.openstack.org
> Subject: Re: [openstack-dev] [openstack-ansible][security] Creating a CA for
> openstack-ansible deployments?
>
> On 10/26/2015 02:38 PM, Major
On 29/10/2015 21:43, "Major Hayden" wrote:
>On 10/29/2015 04:33 AM, McPeak, Travis wrote:
>> The only potential security drawback is that we are introducing a new
>> asset to protect. If we create the tools that enable a deployer to
>> easily create and administer a
We have two fishbowls sessions on Thursday with lunch in the middle. I know
there are security talks going on around the same times, this was unavoidable.
Perhaps we could all meet up for lunch on thursday, maybe by the prince hotel
pool? (Off the marketplace)
Looking forward to meeting up
I had looped some people into a previous version of the thread but they've not
replied yet.
I think we ran into this problem before and got a firm "maybe, depending on
what it is" from the powers-that-be.
Perhaps we should look at a rough-draft alternative logo while we await a
verdict?
>
r the update. We will probably not use any Openstack Logo.
>
> Here is the first draft of the flyer:
>
> http://5a6aa6580e900b8e8020-e5e45c5cb10329ebc9fb69948bb1b1a5.r65.cf1.rackcdn.com/ossp-flag-flyer.pdf
>
>
> Please send us your feedback.
>
>
> Yours,
> Michae
> -Original Message-
> From: Adam Young [mailto:ayo...@redhat.com]
> Sent: 12 October 2015 02:24
> To: openstack-dev@lists.openstack.org
> Subject: Re: [openstack-dev] [Security] Introducing Killick PKI
>
> On 10/11/2015 06:50 PM, Robert Collins wrote:
> > On 9 October 2015 at 06:47, Adam
It might be worth re-posting this with a [Security] tag.
I know a number of us from the Security project have been quietly keeping tabs
on this, it seems like great work. We didn't want to wade in because clearly
things were already moving with some good momentum and there's no need for us
to
Hi All,
So I did a bit of tyre kicking with Letsencrypt today, one of the things I
thought was interesting was the adherence to the burgeoning Automatic
Certificate Management Environment (ACME) standard.
https://letsencrypt.github.io/acme-spec/
It’s one of the more readable crypto related
Hi All,
I won't be available to run the weekly meeting tomorrow as I'm out travelling,
Michael McCune (elmiko) has volunteered to lead the meeting.
There's IRC information on our wiki page :
https://wiki.openstack.org/wiki/Security
Agenda items (Please reply to add any more):
*PTL
Is it possible to have separate floating-IP pools and grant a tenant access to
only some of them?
Thought popped into my head while looking at the rbac-network spec here:
https://review.openstack.org/#/c/132661/4/specs/liberty/rbac-networks.rst
Creating individual pools, allowing only some
Likewise, I'm not sure I missed the candidacy window, I think our late
mid-cycle threw things out of whack slightly.
When I saw the Magnum nomination I made a mental note to apply today. This is a
poor-show on my part and I apologise to the TC, the community and the Security
team for this
Security Folks,
Some how I missed the window to nominate myself as a PTL candidate for
Security. I have literally no idea how I missed it. I’ve been working on
Security project things all week (Anchor and OSSNs mainly) so it’s not like I
wasn’t thinking about the Security team!
Anyway, I missed
Very interesting discussion.
The Security project has a published security guide that I believe this
would be very appropriate content for, the current guide (for reference)
is here: http://docs.openstack.org/sec/
Contributions welcome, just like any other part of the OpenStack docs :)
-Rob
On
Security folks,
Tomorrow’s mid-cycle is cancelled due to many of us attending the Mid-cycle.
-Rob
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
he summit yet? I think we should all get
>together and talk about it.
>
>Thanks,
>Kevin
>________
>From: Clark, Robert Graham [robert.cl...@hp.com]
>Sent: Tuesday, September 01, 2015 1:35 PM
>To: OpenStack Development Mailing List (not for usage
ficate lifecycle) please see
my comments below :)
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>Added a few comments inline.
>
>- - Douglas Mendizábal
>
>On 9/1/15 12:03 PM, John Dennis wrote:
>> On 09/01/2015 10:57 AM, Clark, Robert Graham wrote:
>>>
.@redhat.com]
>Sent: Tuesday, September 01, 2015 10:03 AM
>To: OpenStack Development Mailing List (not for usage questions)
>Subject: Re: [openstack-dev] [magnum] Difference between certs stored in
>keystone and certs stored in barbican
>
>On 09/01/2015 10:57 AM, Clark, Robert Graha
>The reason that is compelling is that you can have Barbican generate,
>sign, and store a keypair without transmitting the private key over the
>network to the client that originates the signing request. It can be
>directly stored, and made available only to the clients that need access
>to it.
Hi Elena,
This is interesting work, thanks for posting it (and for posting it here on
openstack-dev, we are trying to wind down the security ML) though maybe use the
[Security] tag in the subject line next time.
I think this is a very interesting project, though it’s unclear to me who might
-Original Message-
From: Thierry Carrez [mailto:thie...@openstack.org]
Sent: 06 July 2015 09:12
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [Security] Midcycle Announcement
Clark, Robert Graham wrote:
The Security Project will be holding it's mid-cycle
Hi All,
The Security Project will be holding it's mid-cycle meet-up in Seattle 1st to
4th.
Topic for the mid-cycle include:
*A sprint on v2 of the Security Guide
*Bootstrapping OpenStack Crypto Tracking and Verification Work
*Security Face - building the appropriate
With various +1's and no objections I'm pleased to announce that Michael and
Travis are now added to the ossg-coresec team.
This team assists the VMT with vulnerability metrics, triage and of course
OpenStack Security Notes.
Congratulations both!
-Rob
Hi Yang,
This is an interesting idea. Most operators running production OpenStack
deployments will be using OS-level Mandatory Access Controls already (likely
AppArmour or SELinux).
I can see where there might be some application on a per-service basis,
introducing more security for Swift,
I think this is an interesting if somewhat difficult to follow thread.
It’s worth keeping in mind that there are more ways to handle certificates in
OpenStack than just Barbican, though there are often good reasons to use it.
Is there a blueprint or scheduled IRC meeting to discuss the options?
I'd like to nominate Travis for a CoreSec position as part of the Security
project. - CoreSec team members support the VMT with extended consultation on
externally reported vulnerabilities.
Travis has been an active member of the Security project for a couple of years
he's a part of the bandit
All,
OSSG CoreSec is a private group on Launchpad, it consists of established
Security Project team members who are on hand to be called in by the VMT to
consult on vulnerabilities and discuss possible mitigations.
We require two new members, as with other project ‘cores’ I suggest a
Interesting work,
I guess my initial thought would be - does it need to be faster?
Will this work make maintenance and the addition of features more
difficult?
-Rob
On 08/06/2015 08:26, Ian Cordasco ian.corda...@rackspace.com wrote:
Hey everyone,
I drew up a blueprint
+1 from me
On 22 May 2015, at 13:55, Nathan Kinder nkin...@redhat.com wrote:
On 05/19/2015 05:20 PM, Dillon, Nathaniel wrote:
To the Security and Docs groups as well as other interested parties,
I would like to nominate Mike McCune to the Security Guide core. He has been
contributing
All,
Is there a session to discuss the image security proposal?
https://review.openstack.org/#/c/177948/2/specs/liberty/encrypted-and-authenticated-image-support.rst
Cheers
-Rob
__
OpenStack Development Mailing List (not
Sounds good, I¹m not sure if I¹ll be able to make it, or in fact if TaaS
is the way forward, there¹s a few different options in this space and
personally I like bump in the wire OVS - something to discuss :)
I¹ll try to make it but I expect this is will be a long running discussion.
Kind Regard
Agree
Sent from my iPhone
On 15 May 2015, at 10:17, Rob Fletcher
rfletch@gmail.commailto:rfletch@gmail.com wrote:
sgtm
On Fri, May 15, 2015 at 10:04 AM, Paul McMillan
p...@mcmillan.wsmailto:p...@mcmillan.ws wrote:
Works for me.
-Paul
On May 15, 2015 10:03 AM, Murphy, Grant
Just a quick reminder, the security project IRC meeting is cancelled this week
so we can be ready for the summit.
-Rob
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
Hi Michael,
Nathaniel might have some insight here, adding him directly.
Cheers
-Rob
From: Michael Krotscheck [mailto:krotsch...@gmail.com]
Sent: 05 May 2015 16:33
To: OpenStack Development Mailing List (not for usage questions)
Subject: [openstack-dev] [Security] CORS Documentation
Hi Security,
We have two fishbowl events and one boardroom, I’ve assigned them to activities:
[Fishbowl] 20 May, 1350, Vulnerability Management
[Boardroom] 21 May, 0950, Security: Work Session [Rebranding]
[Fishbowl] 21 May, 1700, Security Tooling
Please take a look at the link below and let me
Reminder to all, our meeting is today at 1700 UTC on Freenode
#openstack-meeting-alt
The agenda can be found here:
https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#Agenda_for_next_meeting
* Roll Call
* Reminder that the agenda exists
* Update on project status
*
The OpenStack Security Group (OSSG) and the OpenStack Vulnerability Management
Team (VMT) have historically operated as independent teams, each with a focus on
different aspects of OpenStack security. To present a more coherent security
posture we are pleased to announce that the OSSG and VMT will
Technical Committee,
Please consider this request to recognize the security team as an OpenStack
project team.
This is a milestone for the OpenStack Security Group and follows from our
merging with the VMT. Over the last few years what started as a small working
group has become a team of
Security folks,
The agenda for the next security group meeting is up on
https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#OpenStack_Security_Group_Meetings
As a reminder, this is 1700 UTC on irc.freenode.net #openstack-meeting-alt
Cheers
-Rob
This is a big loss to the community, it’s been a real pleasure working with you
over the last three years and I wish you all the best in the future!
-Rob
From: Bryan D. Payne [mailto:bdpa...@acm.org]
Sent: 16 March 2015 21:53
To: OpenStack Development Mailing List
Subject:
On 05/03/2015 21:37, Nathan Kinder nkin...@redhat.com wrote:
On 03/05/2015 01:14 PM, Bryan D. Payne wrote:
To security-doc core and other interested parties,
Nathaniel Dillon has been working consistently on the security guide
since our first mid-cycle meet up last summer. In that time he
On 11/12/2014 13:16, Thierry Carrez thie...@openstack.org wrote:
George Shuklin wrote:
On 12/10/2014 10:34 PM, Jay Pipes wrote:
On 12/10/2014 02:43 PM, George Shuklin wrote:
I have some small discussion in launchpad: is lack of a quota for
unprivileged user counted as security bug (or at
for the last mid-cycle to be
helpful, so it might be worthwhile doing again.
-Doug M.
Douglas Mendizábal
IRC: redrobot
PGP Key: 245C 7B6F 70E9 D8F3 F5D5 0CC9 AD14 1F30 2D58 923C
On 11/7/14, 8:02 PM, Clark, Robert Graham
robert.cl...@hp.commailto:robert.cl...@hp.com
Hi All,
How many people would want to attend both the OSSG mid-cycle and the Barbican
one? Both expected to be on the west coast of the US.
We are trying to work out how/if we should organise these events to take place
at adjacent times and if they should be in the same location, back to back
As above, couldn’t see any conventions.
Thanks
-Rob
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
We’ve been looking into CA’s that give you an instant response on a certificate
signing request (based on various conditions) - I’m not sure that we can easily
make this work with the state structures described?
Our basic flow is
Client —[https|somecreds|some https://somecreds|somecsr]-- CA
: [openstack-dev] [Barbican] Barebones CA
On 06/25/2014 02:42 PM, Clark, Robert Graham wrote:
Ok, I’ll hack together a dev plugin over the next week or so, other work
notwithstanding. Where possible I’ll probably borrow from the dog tag
plugin as I’ve not looked closely at the plugin
On 26/06/2014 03:43, Nathan Kinder nkin...@redhat.com wrote:
On 06/25/2014 02:42 PM, Clark, Robert Graham wrote:
Ok, I’ll hack together a dev plugin over the next week or so, other work
notwithstanding. Where possible I’ll probably borrow from the dog tag
plugin as I’ve not looked closely
It¹s kinda ugly, if a user through API/Horizon thinks they¹ve isolated a
host, it should be isolatedŠ
I smell an OSSN here...
On 26/06/2014 17:57, Miguel Angel Ajo Pelayo mangel...@redhat.com
wrote:
Yes, once a connection has past the nat tables,
and it's on the kernel connection tracker, it
of
doing something like that. That's still a bit hard to deploy, so it
would
make sense to extend the 'dev' plugin to include those features.
Jarret
On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote:
Yeah pretty much.
That¹s something I¹d be interested to work
Hi all,
I’m sure this has been discussed somewhere and I’ve just missed it.
Is there any value in creating a basic ‘CA’ and plugin to satisfy
tests/integration in Barbican? I’m thinking something that probably performs
OpenSSL certificate operations itself, ugly but perhaps useful for some
' to enable certificate
generation orders to be evaluated and demo-ed on local boxes.
Is this what you were thinking though?
Thanks,
John
From: Clark, Robert Graham [robert.cl...@hp.com]
Sent: Tuesday, June 24, 2014 10:36 AM
To: OpenStack List
Subject
I think this is very interesting and would love to see the code for it.
The blueprint mentions performing checks beyond what Open Attestation
provides, add dynamic check to verify memory - this is probably a
stretch goal as process memory verification is extremely complex. I'm
not aware of anyone
that needs
to be in by J2 is in. That means the API changes.
I'll be there.
On 05/23/2014 03:09 AM, Clark, Robert Graham wrote:
I’d like to attend all the Barbican stuff and I’m sure there’ll
be some interesting Keystone things too.
I think it’s likely we’d do more
-Original Message-
From: Jamie Lennox [mailto:jamielen...@redhat.com]
Sent: 13 June 2014 03:25
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] Message level security plans. [barbican]
On Thu, 2014-06-12 at 23:22 +, Tiwari, Arvind
All,
TL:DR; Lets work together and openly on security review and threat
analysis for OpenStack
I've discussed this for a while within the security group but now I'm
sharing more widely here on -dev.
There are currently scores of security reviews taking place on OpenStack
architecture, projects
Users have to be able to delete their secrets from Barbican, it's a
fundamental key-management requirement.
-Original Message-
From: Eichberger, German
Sent: 11 June 2014 17:43
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev]
It looks like this has come full circle and we are back at the simplest case.
# Containers are immutable
# Changing a cert means creating a new container and, when ready, pointing
LBaaS at the new container
This makes a lot of sense to me, it removes a lot of handholding and keeps
Barbican and
Thanks guys, you¹ve answered everything I needed to know!
I¹ll look to see what help I can provide to the KMIP efforts.
-Rob
On 04/06/2014 15:18, Becker, Bill bill.bec...@safenet-inc.com wrote:
Regarding:
Also, is the ³OpenStack KMIP Client² ever going to be a thing?
All,
I’m researching a bunch of HSM applications and I’m struggling to find much
info. I was wondering about the progress of KMIP support in Barbican? Is this
waiting on an open python KMIP support?
Also, is the “OpenStack KMIP Client” ever going to be a thing?
directly from Babican?
2014-05-01 9:42 GMT-07:00 Clark, Robert Graham
robert.cl...@hp.com:
Excuse me interrupting but couldn't you treat the key as largely
ephemeral, pull it down from Barbican, start the OpenVPN process
and
then purge the key? It would of course still be resident
Several OSSG members have expressed an interest in reviewing this
functionality too.
-Rob
On 28/05/2014 11:35, Samuel Bercovici samu...@radware.com wrote:
This very good news.
Please point to the code review in gerrit.
-Sam.
-Original Message-
From: Eichberger, German
I’d like to attend all the Barbican stuff and I’m sure there’ll be some
interesting Keystone things too.
I think it’s likely we’d do more parallel ‘OSSG’ stuff on the Keystone days
though
I’m free on these dates.
From: Bryan Payne bdpa...@acm.orgmailto:bdpa...@acm.org
Date: Friday, 23 May
Yeah, I think they¹re rough for a few people, certainly doesn¹t make life
easier for those travelling big distances.
On 22/05/2014 21:19, Nathan Reller rellerrel...@yahoo.com wrote:
I am interested but the dates are a little rough because it is July 4th
weekend. Any chance of pushing it back a
Hi Cinder folks,
Malini from the security group has drafted an OpenStack Security Note for an
issue regarding cinder driver permissions that was previously reported to the
VMT.
Our process for publishing OSSNs requires sign off from two OSSN core and one
core of the affected project(s) - we’d
From: Abhijeet Jain [mailto:abhijeet.j...@nectechnologies.in]
Sent: 21 May 2014 12:27
To: openstack-dev@lists.openstack.org
Subject: [openstack-dev] A proposal for code reduction
Hi Openstack-developers,
I am Abhijeet Jain. One of the contributor in OpenStack.
I was just working on
Hi All,
At the summit I heard that the Barbican meeting time might be moving,
has anything been agreed?
Cheers
-Rob
smime.p7s
Description: S/MIME cryptographic signature
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
Seems to be the way most people are going, I noticed Ironic announcing the
same today.
On 19/05/2014 19:46, Jarret Raim jarret.r...@rackspace.com wrote:
Barbicaneers,
Many of us are just getting back into the swing of things so we are going
to go ahead and cancel the meeting today. The main
Is localhost listed in your /etc/hosts ?
Maybe try with HTTP_PROXY=http://127.0.0.1:13392 - just in case.
On 16/05/2014 11:41, Adrian Smith adr...@17od.com wrote:
To access my controller I need to go through a intermediary box.
I've created a local SOCKS proxy by ssh'ing to this intermediary
The certificate management that LBaaS requires might be slightly
different to the normal flow of things in OpenStack services, after all
you are talking about externally provided certificates and private keys.
There's already a standard for a nice way to bundle those two elements
together,
a
Neutron requirement (LBaaS, VPNaaS, FWaaS) and maybe as a transition
project to an OpenStack wide solution (1 or 2).
Option 1 or 2 might be the ultimate goal.
Regards,
-Sam.
From: Clark, Robert Graham [mailto:robert.cl...@hp.com]
Sent: Thursday, May 08, 2014
-Original Message-
From: John Dennis [mailto:jden...@redhat.com]
Sent: 02 May 2014 14:23
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] Security audit of OpenStack projects
On 04/07/2014 12:06 PM, Nathan Kinder wrote:
Hi,
We
Excuse me interrupting but couldn't you treat the key as largely
ephemeral, pull it down from Barbican, start the OpenVPN process and
then purge the key? It would of course still be resident in the memory
of the OpenVPN process but should otherwise be protected against
filesystem disk-residency
This is why any production API servers should all be running TLS/SSL – to
protect the confidentiality of messages in flight.
There have been efforts to remove sensitive information from logs, I’m a little
surprised that passwords are logged in Neutron.
From: Hao Wang
.
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: 29 April 2014 15:39
To: Hao Wang; Clark, Robert Graham
Cc: openstack-secur...@lists.openstack.org; openstack; Aaron Knister
Subject: Re: [Openstack-security] [Openstack] API Security
Hao Wang wrote:
Thanks
Crittenden’s
comments – check out Nathan Kinders blog entry on the topic
https://blog-nkinder.rhcloud.com/?p=7
From: Hao Wang [mailto:hao.1.w...@gmail.com]
Sent: 29 April 2014 16:04
To: Rob Crittenden
Cc: Clark, Robert Graham; openstack-secur...@lists.openstack.org; openstack;
Aaron Knister
Has there been much discussion on how to ensure that keys are
recoverable in the event that Barbican has some sort of horrific
failure?
I suppose a HA frontend, Redundant Keystore Databases and HA paired HSMs
would be the most obvious non-code-writing path but this feels pretty
clunky, I was
-Original Message-
From: Clint Byrum [mailto:cl...@fewbar.com]
Sent: 19 March 2014 18:22
To: openstack
Subject: Re: [Openstack] [Barbican] Key Recovery / Availability
Excerpts from Clark, Robert Graham's message of 2014-03-19 07:41:35 -
0700:
Has there been much discussion on
As the services I described were the first things that came into my mind with
regards to high availability in Barbican I assumed that there was probably a
better strategy.
If the strategy is as you've described then that's great - even I can
understand that!
-Rob
Our plan for deployment
Very often you’ll deploy them on the same server, so no plaintext goes over the
wire.
-Rob
From: Miller, Mark M (EB SW Cloud - RD - Corvallis)
Sent: 05 March 2014 20:31
To: Douglas Mendizabal; Tiwari, Arvind; Ferreira, Rafael; Remo Mattei; Wyllys
Ingersoll; openstack@lists.openstack.org
On Wed Feb 5 08:34:34 2014, Rob Crittenden wrote:
Emanuel Marzini wrote:
Hi,
I have a software that uses Openstack. When it do an action for the
first time, it need to get a token from Openstack. How it's possible
make a POST request like:
'{auth:{passwordCredentials:{username: joeuser,
On Thu Jan 23 07:41:09 2014, Joe Topjian wrote:
A group I'm working with recently finished some basic cloudfuse
testing and in the end, we weren't 100% comfortable with using it in
production. The core reason for this is cloudfuse writing files to
/tmp before they get moved to Swift. We played
On 17/01/2014 08:19, Robert Collins wrote:
On 16 January 2014 03:31, Alan Kavanagh alan.kavan...@ericsson.com wrote:
Hi fellow OpenStackers
Does anyone have any recommendations on open source tools for disk
erasure/data destruction software. I have so far looked at DBAN and disk
scrubber
From: Bryan D. Payne [mailto:bdpa...@acm.org]
Sent: 12 December 2013 16:12
To: OpenStack Development Mailing List (not for usage questions)
Cc: openstack...@lists.openstack.org; cloudkeep@googlegroups. com;
barbi...@lists.rackspace.com
Subject: Re: [openstack-dev] Incubation Request for Barbican
Restarting memcached loses revoked token list
-
### Summary ###
When a cloud is deployed using Memcache as a backend for Keystone tokens
there is a security concern that restarting Memcached will lose the list
of revoked tokens, potentially allowing bad tokens / users to access the
system
HTTP Strict Transport Security not enabled on Horizon Dashboard
### Summary ###
Cloud operators using Horizon for production or internet facing
operations should strongly consider configuring HSTS for their
deployment
### Affected Services / Software ###
Horizon, SSL, TLS, Apache, Nginx
1 - 100 of 105 matches
Mail list logo