Is anyone interested in the pull model or actually implementing it? I
say if the answer to that is no then only discuss the push model.
Note that I am having a talk on BYOK on Tuesday at 11:15. My talk will
go over provider key management, the push model, and the pull model.
I agree with Doug's comments. Castellan is a generic key manager
library that allows symmetric keys, private keys, public keys,
certificates, passphrases, and opaque secret data to be stored in a
key manager. There is a Barbican implementation that is complete, and
a KMIP (Key Management
> Red Herring. We don't need HMAC. We need to make better use of the tools in
I'm curious what you mean by this. I'd like to know the lessons learned.
> As for HMAC several years/releases ago, what was the issue (just wondering)?
> Just to much load on controller nodes to do
He is a great addition to the Barbican community.
On Mon, Feb 15, 2016 at 1:34 PM, Dave McCowan (dmccowan)
> On 2/15/16, 12:45 PM, "Douglas Mendizábal"
>>-BEGIN PGP SIGNED MESSAGE-
> the cinder admin and the nova admin are ALWAYS the same people
There is interest in hybrid clouds where the Nova and Cinder services
are managed by different providers. The customer would place higher
trust in Nova because you must trust the compute service, and the
customer would place less
> But that approach looks a little untidy, because tenant admin has to do
some infrastructure work.
I would think infrastructure work would be part of the admin role. They are
doing other things such as creating LBaaS, which seems like an
infrastructure job to me. I would think configuring LBaaS
Dave is a great member of the team, and I think he has earned it.
On Tue, Sep 8, 2015 at 12:13 PM, Douglas Mendizábal <
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> Dave has been a great asset to the team, and I think he would
You would need to update the KMIPSecretStore or create a new
SecretStore to handle this. The logic should be behind the SecretStore
abstraction because Barbican only allows one active secret store.
I would think that the configuration file would have a listing of
available KMIP server URLs.
When you say you want your key in ASCII does that also mean putting
the bytes in hex or base64 format? Isn't ASCII only 7 bits?
On Mon, Jun 8, 2015 at 1:17 AM, Asha Seshagiri asha.seshag...@gmail.com wrote:
Thanks John for your response.
I am aware that application/octet-stream
You would just store the url in the DTO.
You will need to have the KMIP secret store return the KMIP server
that handled the request in the metadata that is returned to Barbican
each kmip server url would need to be in the barbican-api.conf file?
I would assume that would be true.
On Thu, May 21, 2015 at 12:29 PM, John Wood john.w...@rackspace.com wrote:
From: Douglas Mendizábal douglas.mendiza...@rackspace.com
Sent: Tuesday, May 19, 2015 7:09 PM
To: OpenStack Development Mailing List (not for usage questions)
On Thu, May 21, 2015 at 4:53 PM, Juan Antonio Osorio
On Thu, May 21, 2015 at 11:05 PM, John Wood john.w...@rackspace.com wrote:
From: Chad Lung chad.l...@gmail.com
Sent: Sunday, May 17, 2015 6:34 PM
It seems we need to add some validation to the process
Yes, we are planning to add some validation checks in Kilo. I would
submit a bug report for this.
The big part of the issue is that we need to be clearer about the
expected input types to the API as well as the SecretStores. This was
How many people would want to attend both the OSSG mid-cycle and the Barbican
OpenStack-dev mailing list
+1 for me
I would like to nominate Juan Antonio Osorio Robles to the barbican-core
Juan has been consistently giving us very well thought out and constructive
reviews for Barbican, python-barbicanclient and
+1 for me
OpenStack-dev mailing list
is Cinder capable today to use Barbican for encryption?
Yes, Cinder has a KeyManager abstraction, and one of the implementations is
Barbican. Checkout cinder.keymgr.barbican.py. We have successfully used
Barbican within Cinder.
I think the python-barbicanclient has recently changed. This change
I was wondering about the progress of KMIP support in Barbican?
As John pointed out, JHU/APL is working on adding KMIP support to Barbican.
We submitted the first CR to add a Secret Store interface into Barbican.
The next step is to add a KMIP implementation of the Secret Store.
Mail list logo