Re: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican
You would need to update the KMIPSecretStore or create a new SecretStore to handle this. The logic should be behind the SecretStore abstraction because Barbican only allows one active secret store. I would think that the configuration file would have a listing of available KMIP server URLs. The URL as to where each key is stored would not be in the DTO but rather in the metadata associated with a secret. The return calls for the generate and store methods would return this metadata. Then all of the other calls would need to parse the metadata to determine where the secret is stored, so it would contact the correct KMIP server. That's how I am envisioning it, but perhaps you have a better design in which case I would vote for that one :) -Nate __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican
Hello Chris, I defer to Nate and Kaitlin for things KMIP. From a config perspective though, it seems that something needs to decide which KMIP backend handles which secret. Where ever that decision-making logic lives (in Barbican or in a proxy that Barbican talks to), it has to know what KMIP backends are available. If this list of backends is known/static then it seems that storing these in a config file (like barbican-api.conf) would be acceptable. Keep in mind that more than one Barbican API node might be hitting the same KMIP backends concurrently. As for multiple plugins in Barbican, the current approach favors having an instance per plugin class, so IMHO it would be better to have a single multi-KMIP plugin class that handles the above decision logic. This would most likely be your 'active' secret store plugin. Thanks, John From: Christopher N Solis cnso...@us.ibm.commailto:cnso...@us.ibm.com Reply-To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Date: Friday, June 5, 2015 at 12:41 PM To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Subject: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican Hey all. I wanted to get people's opinion on allowing barbican to talk to multiple KMIP servers. I got good advice from Nathan and John and it seems like it would be pretty easy keeping track of which secret resides in which KMIP applicance. You would just store the url in the DTO. However, in order for barbican to be aware of all KMIP servers wouldn't that mean that each kmip server url would need to be in the barbican-api.conf file? Or somewhere for barbican to know that multiple kmip servers are available? I noticed that there is a blueprint to introduce the concept of a single active and multiple inactive secret store plugins so I'm trying to stray away from making multiple active plugins. Regards, Chris Solis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Multiple KMIP servers on a single barbican
You would just store the url in the DTO. You will need to have the KMIP secret store return the KMIP server that handled the request in the metadata that is returned to Barbican Core. each kmip server url would need to be in the barbican-api.conf file? I would assume that would be true. I'm trying to stray away from making multiple active plugins That is good because only one active secret store is allowed to be active in Barbican. You can add this functionality to the KMIP secret store plugin. You would need to change it to have a list of valid KMIP servers. Then when a request is received to store or generate a key then you would need some algorithm to know which KMIP appliance to choose. Then do everything as normal. At the end then return the KMIP URL in the metatdata. Then all other operations would retrieve the server URL before communicating with the KMIP appliance. I hope that makes sense. If not then I will be around on IRC. -Nate On Fri, Jun 5, 2015 at 1:41 PM, Christopher N Solis cnso...@us.ibm.com wrote: Hey all. I wanted to get people's opinion on allowing barbican to talk to multiple KMIP servers. I got good advice from Nathan and John and it seems like it would be pretty easy keeping track of which secret resides in which KMIP applicance. You would just store the url in the DTO. However, in order for barbican to be aware of all KMIP servers wouldn't that mean that each kmip server url would need to be in the barbican-api.conf file? Or somewhere for barbican to know that multiple kmip servers are available? I noticed that there is a blueprint to introduce the concept of a single active and multiple inactive secret store plugins so I'm trying to stray away from making multiple active plugins. Regards, Chris Solis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Barbican] Multiple KMIP servers on a single barbican
Hey all. I wanted to get people's opinion on allowing barbican to talk to multiple KMIP servers. I got good advice from Nathan and John and it seems like it would be pretty easy keeping track of which secret resides in which KMIP applicance. You would just store the url in the DTO. However, in order for barbican to be aware of all KMIP servers wouldn't that mean that each kmip server url would need to be in the barbican-api.conf file? Or somewhere for barbican to know that multiple kmip servers are available? I noticed that there is a blueprint to introduce the concept of a single active and multiple inactive secret store plugins so I'm trying to stray away from making multiple active plugins. Regards, Chris Solis__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev