-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Naveed,
It is possible to deploy Barbican without Keystone, but you should
take care to secure access to the service by other means.
Typically, you would deploy Barbican and configure keystonemiddleware
to validate keystone tokens provided by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
We've also talked about fancier non-keystone-auth like x.509 certificate
s.
- - Douglas
On 1/18/17 11:52 AM, Clint Byrum wrote:
> Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18
> 15:58:19 +:
>>
>> On Mon, Jan 16, 2017 at 7:35
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I think that a Vault backend would only be valuable to folks who are
already using Vault.
For deployers who don't yet have a key management solution, a Vault
backend would not solve the problem of having to deploy yet another
service. In fact it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I'm very much interested in an out-of-the-box software-only backend
driver for Barbican.
I think that one of the reasons people have been hesitant to deploy
Barbican is that we claim that our Simple Crypto software-only driver
is "not secure in any
?
The Barbican team will follow the standard deprecation policy for this
feature. All APIs will still ship as part of the Newton release, and
we'll begin the deprecation work in the Ocata cycle.
Feel free to ask any other questions you may have.
Thanks,
Douglas Mendizábal
Barbican PTL
signature.asc
bican/plugin/crypto/pkcs11.py#L131
>
> [2]:
> https://github.com/openstack/barbican/blob/c2a7f426455232ed04d2ccef6b3
5c87a2a223977/barbican/plugin/crypto/p11_crypto.py#L63
>
> --- System Engineering HSM
>
> Utimaco IS GmbH Germanusstr. 4 52080 Aache
ut we don't yet have a blueprint
for it.
Let me know if you have any more questions.
- - Douglas Mendizábal
[1]
http://git.openstack.org/cgit/openstack/barbican/tree/etc/barbican/barbi
can.conf#n278
[2]
http://git.openstack.org/cgit/openstack/barbican/tree/etc/barbican/barbi
can.conf#n255
[3]
http://gi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Many thanks to Fernando and IBM for setting this up!
- - Doug Mendizábal
On 7/19/16 1:49 PM, Fernando J Diaz wrote:
> Dear Barbican and Security Contributors,
>
> It is my pleasure to announce that the Barbican and Security
> Mid-cycle meetups
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
No conflicts with your cross-project session as far as I can tell.
In a nutshell BYOK-Push is a model where the customer retains full
control of their cryptographic keys. The customer is expected to
provide the necessary keys each and every time a
sider their
threat models and decide how much risk they're willing to accept. So
if implementing a low-security key management backend is what your
early adopters want, then please do so in a manner that lets deployers
with high security requirements easily use Barbican or other Hardware
solutions.
- -
by the Magnum service tenant instead of the user's tenant when
using Barbican as a backend.
The upshot is that a deployer could choose the existing Barbican
implementation instead, and other projects may be able to make use of
the LocalDEKAndDBKeyManager.
- - Douglas Mendizábal
[1] http
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Rob,
The Barbican team is dedicating a Fishbowl session to BYOK for the summi
t:
https://www.openstack.org/summit/austin-2016/summit-schedule/events/9155
- - Doug
On 4/6/16 5:12 AM, Clark, Robert Graham wrote:
> Hi All,
>
> We’ve had lots
Thanks for the patches, Ronald. Adam Young is right, Kite is pretty
much dead.
I'll add to my list of spring cleaning to-dos to remove Kite from
governance and infra.
Thanks,
Douglas Mendizábal (redrobot)
On 3/25/16 10:08 AM, Ronald Bradford wrote:
> Thanks all for feedback.
>
&g
Comments inline.
- Douglas Mendizábal
On 3/23/16 5:15 PM, Fox, Kevin M wrote:
> So, this is where things start getting a little ugly and undefined... This is
> what I've been able to gather so far, so please someone correct me if I'm
> wrong.
>
> Barbican is the OpenStack
ploy an HA RabbitMQ, and N api-workers. I don't think we'll be
setting up the keystone-listeners any time soon.
I hope that gives you a good starting point for planning your
HA-Barbican delpoyment. Let me know if you have any more questions.
Regards,
Douglas Mendizábal
[1] http://www.haproxy.org
Barbican adoption in the future, and all our users have
> Barbican installed in their clouds. If that happens, I have no problem to
> have a hard dependency on Barbican.
>
> Best regards,
> Hongbin
>
> -----Original Message-
> From: Douglas Mendizábal [mailto:douglas.mendiza..
Hongbin,
I think Adrian makes some excellent points regarding the adoption of
Barbican. As the PTL for Barbican, it's frustrating to me to constantly
hear from other projects that securing their sensitive data is a
requirement but then turn around and say that deploying Barbican is a
problem.
I
python-barbicanclient 4.0.0 is ready to be branched.
- Douglas Mendizábal
On 3/9/16 11:26 AM, Doug Hellmann wrote:
> It's time to start opening the stable branches for libraries. I've
> prepared a list of repositories and the proposed versions from which
> we will create stable/mitaka
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Thanks for the +1s everyone. Since there have been no objections, I'd
like to welcome Fernando to the Barbican Core team.
Thanks,
- - Douglas Mendizábal
On 2/17/16 11:33 AM, John Wood wrote:
> +1
>
> On 2/16/16, 12:52 PM,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
One more thing: I forgot to point out that pyca/cryptography is
already part of global-requirements. [1]
- - Douglas Mendizábal
[1]
http://git.openstack.org/cgit/openstack/requirements/tree/global-require
ments.txt#n25
On 2/15/16 12:24 PM
.
- - Douglas Mendizábal
[1] https://cryptography.io/en/latest/
[2] https://github.com/paramiko/paramiko/pull/646
On 2/15/16 6:44 AM, Haïkel wrote:
> 2016-02-14 23:16 GMT+01:00 Davanum Srinivas <dava...@gmail.com>:
>> Hi,
>>
>> Short Story: pycryptodome if install
. [1] He’s got an excellent eye
for review and I think he would make an excellent addition to the team.
As a reminder to our current core reviewers, our Core Team policy is
documented in the wiki. [2] So please reply to this thread with your
votes.
Thanks,
- - Douglas Mendizábal
[1] http
up a Barbican instance.
- - Douglas Mendizábal
On 1/5/16 3:58 PM, Farr, Kaitlin M. wrote:
>>> Aiming toward tests that mirror real-world deployment is
>>> certainly a good thing, but I don't think we should remove
>>> ConfKeyManager.
>>>
>>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Barbicaneers,
Since a lot of us are going to be traveling to Tokyo for the Summit
next week, I figured we should probably cancel the next couple of
weekly meetings. The next weekly meeting will be on Nov 9 @ 2000 UTC.
Thanks,
Douglas
and the project is expected to function without them when
using a driver that does not require the lib.
I read through the README in openstack/requirements [1] but I didn't
see anything about it.
Thanks,
Douglas Mendizábal
[1]
https://git.openstack.org/cgit/openstack/requirements/tree/README.rst
probably phase out the Barbican CMS API, and just support ACME on the
front end.
- - Douglas Mendizábal
On 9/24/15 10:12 AM, Clark, Robert Graham wrote:
> Hi All,
>
> So I did a bit of tyre kicking with Letsencrypt today, one of the
> things I thought was interesting was t
the controller. The certificate download happens
> on the controller too. 2) Once we move to service-vm model, where
> service-vms could reside on compute hypervisors, where will the
> cert download happen? Still on controller in the flow?
>
> Thanks, Varun
>
> On 9/
container reference
Since the user grants the lbass user access in step 2, the token
generated using the conf file credentials will be accepted by Barbican
and the certificate will be made available to lbass.
- - Douglas Mendizábal
[1] http://docs.openstack.org/developer/barbican/api/quickstart
/PTL_Elections_September_2015
[2] http://time.is/UTC
Douglas Mendizábal
On 9/17/15 9:50 AM, Anita Kuno wrote:
> On 09/17/2015 08:22 AM, Matt Riedemann wrote:
>>
>>
>> On 9/17/2015 8:25 AM, Tristan Cacqueray wrote:
>>> PTL Nomination is now over. The official candidate list i
in particular for missing this deadline.
Thanks,
Douglas Mendizábal
On 9/17/15 8:49 AM, Flavio Percoco wrote:
> On 17/09/15 13:44 +, Tristan Cacqueray wrote:
>> On 09/17/2015 01:32 PM, Flavio Percoco wrote:
>>> On 17/09/15 13:25 +, Tristan Cacqueray wrote:
>>>&
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
As described in the Barbican Core Team wiki [1] Dave has gotten the
requierd +1s and no objections, so I'm happy to welcome him to the
Barbican Core reviewer team.
Douglas Mendizábal
On 9/9/15 11:33 AM, John Wood wrote:
> AgreedŠ+1
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
+1
Dave has been a great asset to the team, and I think he would make an
excellent core reviewer.
- - Douglas Mendizábal
On 9/8/15 11:05 AM, Juan Antonio Osorio wrote:
> I'd like to nominate Dave Mccowan for the Barbican core review
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Barbicaneers,
We'll be skipping the weekly IRC meeting tomorrow since I expect most
folks will be out due to the US holiday.
Thanks,
Douglas Mendizábal
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Added a few comments inline.
- - Douglas Mendizábal
On 9/1/15 12:03 PM, John Dennis wrote:
> On 09/01/2015 10:57 AM, Clark, Robert Graham wrote:
>>
>>> The reason that is compelling is that you can have Barbican
>>>
me if I'm wrong.
The automated tests that validate the API are the Functional Tests I
linked in my earlier email.
- - Douglas Mendizábal
On 7/1/15 3:22 PM, Asha Seshagiri wrote:
Hi Douglas ,
Are there any Automated Test cases created for validating the
Barbican APIs.
Thanks and Regards
tests to the Tempest
repo. It's my understanding that Tempest is moving away from one
monolithic repository into a modular approach using tempest-lib.
- - Douglas Mendizábal
[1] http://git.openstack.org/cgit/openstack/barbican/tree/functionaltest
s
On 7/1/15 2:12 PM, Asha Seshagiri wrote:
Hi All
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Asha,
Information for running the Functional tests can be found in our
official documentation. [1]
- - Douglas Mendizábal
[1]
http://docs.openstack.org/developer/barbican/testing.html#functional-tes
ts
On 7/1/15 5:08 PM, Asha Seshagiri wrote
of all
changes landing in the stable branches, and should be able to push a
tag immediately after an important fix lands. Asking the packagers to
make the determination means that they would have to be aware of every
patch landing in every project, which I think is a lot to ask.
- - Douglas
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Since there are no objections, Chelsea Winfree is now part of
barbican-core. Congratulations!
- - Douglas Mendizábal
On 5/21/15 6:58 PM, Nathan Reller wrote:
+1
On Thu, May 21, 2015 at 4:53 PM, Juan Antonio Osorio
jaosor...@gmail.com wrote
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi All,
The Barbican weekly meeting is cancelled today because of the US
holiday. Meetings will resume next week at the regularly scheduled time
.
Thanks,
- - Douglas Mendizábal
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Since there are no objections, Kaitlin Farr is now part of
barbican-core. Congratulations!
- - Douglas Mendizábal
On 5/24/15 12:19 PM, Chad Lung wrote:
+1
Chad Lung EMC Cloud Services
/ I would like to nominate Kaitlin Farr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
+1 from me as well.
- - Douglas Mendizábal
On 5/18/15 7:38 AM, John Vrbanac wrote:
?+1
John Vrbanac
--
- --
*From:* Chad Lung chad.l...@gmail.com
*Sent:* Sunday, May
to
each new vm so that the vm is able to access a secret in Barbican.
Thanks,
Douglas Mendizábal
[1] https://review.openstack.org/#/c/159571/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVXLnnAAoJEB7Z2EQgmLX73nIQAIBJNosFdyYIjhfOg5v51B82
ADZa0PCoTPW9
]
As a reminder to the rest of the core team, we use the process
outlined in https://wiki.openstack.org/wiki/Barbican/CoreTeam to add
members to the barbican-core team.
Thanks,
Douglas Mendizábal
[1] http://stackalytics.com/report/contribution/barbican-group/90
-BEGIN PGP SIGNATURE-
Comment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I'm very much interested in talking with some Keystone folks about
this auth issue. I would be willing to dedicate a Barbican Working
Session to this discussion if there is a time slot that works for all
the interested parties.
- - Douglas
for some of our contributors who find the current Keystone
models burdensome. [2]
- - Douglas Mendizábal
[1]
http://lists.openstack.org/pipermail/openstack-dev/2015-May/064196.html
[2]
http://specs.openstack.org/openstack/barbican-specs/specs/kilo/add-creat
or-only-option.html
On 5/12/15 8:43 PM, Zane
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Asha,
The reason we support an Unauthenticated Context in Barbican is purely
for development purposes. We recommend that all production Barbican
deployments use Keystone or an alternative AuthN/AuthZ service in
front of Barbican.
Setting up a
47 matches
Mail list logo
