Re: [openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions

> Thoughts? Is anyone interested in the pull model or actually implementing it? I say if the answer to that is no then only discuss the push model. Note that I am having a talk on BYOK on Tuesday at 11:15. My talk will go over provider key management, the push model, and the pull model. There

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

I agree with Doug's comments. Castellan is a generic key manager library that allows symmetric keys, private keys, public keys, certificates, passphrases, and opaque secret data to be stored in a key manager. There is a Barbican implementation that is complete, and a KMIP (Key Management

Re: [openstack-dev] [oslo][all] What would you like changed/fixed/new in oslo??

> Red Herring. We don't need HMAC. We need to make better use of the tools in > Rabbit. I'm curious what you mean by this. I'd like to know the lessons learned. > As for HMAC several years/releases ago, what was the issue (just wondering)? > Just to much load on controller nodes to do

Re: [openstack-dev] [barbican] Nominating Fernando Diaz for Barbican Core

+1 He is a great addition to the Barbican community. -Nate On Mon, Feb 15, 2016 at 1:34 PM, Dave McCowan (dmccowan) wrote: > +1 > > On 2/15/16, 12:45 PM, "Douglas Mendizábal" > wrote: > >>-BEGIN PGP SIGNED MESSAGE- >>Hash: SHA512

[openstack-dev] [cinder][nova]Move encryptors to os-brick

> the cinder admin and the nova admin are ALWAYS the same people There is interest in hybrid clouds where the Nova and Cinder services are managed by different providers. The customer would place higher trust in Nova because you must trust the compute service, and the customer would place less

Re: [openstack-dev] [Barbican] Providing service user read access to all tenant's certificates

> But that approach looks a little untidy, because tenant admin has to do some infrastructure work. I would think infrastructure work would be part of the admin role. They are doing other things such as creating LBaaS, which seems like an infrastructure job to me. I would think configuring LBaaS

Re: [openstack-dev] [Barbican] Nominating Dave Mccowan for Barbican core

+1 Dave is a great member of the team, and I think he has earned it. -Nate On Tue, Sep 8, 2015 at 12:13 PM, Douglas Mendizábal < douglas.mendiza...@rackspace.com> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > +1 > > Dave has been a great asset to the team, and I think he would

Re: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican

You would need to update the KMIPSecretStore or create a new SecretStore to handle this. The logic should be behind the SecretStore abstraction because Barbican only allows one active secret store. I would think that the configuration file would have a listing of available KMIP server URLs. The

Re: [openstack-dev] Barbican : Retrieval of the secret in text/plain format generated from Barbican order resource

Asha, When you say you want your key in ASCII does that also mean putting the bytes in hex or base64 format? Isn't ASCII only 7 bits? -Nate On Mon, Jun 8, 2015 at 1:17 AM, Asha Seshagiri asha.seshag...@gmail.com wrote: Thanks John for your response. I am aware that application/octet-stream

Re: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican

You would just store the url in the DTO. You will need to have the KMIP secret store return the KMIP server that handled the request in the metadata that is returned to Barbican Core. each kmip server url would need to be in the barbican-api.conf file? I would assume that would be true. I'm

Re: [openstack-dev] [barbican] Nominating Kaitlin Farr for barbican-core

+1 On Thu, May 21, 2015 at 12:29 PM, John Wood john.w...@rackspace.com wrote: +1 From: Douglas Mendizábal douglas.mendiza...@rackspace.com Sent: Tuesday, May 19, 2015 7:09 PM To: OpenStack Development Mailing List (not for usage questions) Subject:

Re: [openstack-dev] [Barbican] Nominating Chelsea Winfree for Barbican core

+1 On Thu, May 21, 2015 at 4:53 PM, Juan Antonio Osorio jaosor...@gmail.com wrote: +1 On Thu, May 21, 2015 at 11:05 PM, John Wood john.w...@rackspace.com wrote: +1 From: Chad Lung chad.l...@gmail.com Sent: Sunday, May 17, 2015 6:34 PM To:

Re: [openstack-dev] [barbican] Secret store API validation

It seems we need to add some validation to the process Yes, we are planning to add some validation checks in Kilo. I would submit a bug report for this. The big part of the issue is that we need to be clearer about the expected input types to the API as well as the SecretStores. This was a big

Re: [openstack-dev] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

How many people would want to attend both the OSSG mid-cycle and the Barbican one? +1 -Nate ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Barbican] Nominating Juan Antonio Osorio Robles for barbican-core

+1 for me -Nate - Hi All, I would like to nominate Juan Antonio Osorio Robles to the barbican-core team. Juan has been consistently giving us very well thought out and constructive reviews for Barbican, python-barbicanclient and

Re: [openstack-dev] [Barbican] Nominating Steve Heyman for barbican-core

+1 for me -Nate ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [OpenStack] [Barbican] [Cinder] Cinder and Barbican

is Cinder capable today to use Barbican for encryption? Yes, Cinder has a KeyManager abstraction, and one of the implementations is Barbican. Checkout cinder.keymgr.barbican.py. We have successfully used Barbican within Cinder. I think the python-barbicanclient has recently changed. This change

Re: [openstack-dev] [Barbican] KMIP support

I was wondering about the progress of KMIP support in Barbican? As John pointed out, JHU/APL is working on adding KMIP support to Barbican. We submitted the first CR to add a Secret Store interface into Barbican. The next step is to add a KMIP implementation of the Secret Store. Is this