Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Embrace the larger world instead of trying to recreate parts of it, create alliances with the CNCF and/or other companies The CNCF isn't a company... Yes, fair, good point, thanks for the correction. that are getting actively involved there and make bets that solutions there are things

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Wed, Jan 18, 2017 at 5:18 PM, Clint Byrum wrote: > Excerpts from Morgan Fainberg's message of 2017-01-18 15:33:00 -0800: > > On Wed, Jan 18, 2017 at 11:23 AM, Brant Knudson wrote: > > > > > > > > > > > On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) <

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Excerpts from Morgan Fainberg's message of 2017-01-18 15:33:00 -0800: > On Wed, Jan 18, 2017 at 11:23 AM, Brant Knudson wrote: > > > > > > > On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) < > > dmcco...@cisco.com> wrote: > > > >> > >> On Mon, Jan 16, 2017 at 7:35 AM, Ian

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Wed, Jan 18, 2017 at 11:23 AM, Brant Knudson wrote: > > > On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) < > dmcco...@cisco.com> wrote: > >> >> On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco >> wrote: >> >>> Hi everyone, >>> >>> I've seen a few

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 We've also talked about fancier non-keystone-auth like x.509 certificate s. - - Douglas On 1/18/17 11:52 AM, Clint Byrum wrote: > Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18 > 15:58:19 +: >> >> On Mon, Jan 16, 2017 at 7:35

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-dev@lists.openstack.org> >> Date: January 16, 2017 at 13:03:41 To: OpenStack Development >> Mailing List (not for usage questions) >> <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] >> [all] [barbican] [security] Why are projects tr

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) wrote: > > On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco > wrote: > >> Hi everyone, >> >> I've seen a few nascent projects wanting to implement their own secret >> storage to either replace

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'm very much interested in an out-of-the-box software-only backend driver for Barbican. I think that one of the reasons people have been hesitant to deploy Barbican is that we claim that our Simple Crypto software-only driver is "not secure in any

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18 15:58:19 +: > > On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco > > wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco > wrote: Hi everyone, I've seen a few nascent projects wanting to implement their own secret storage to either replace Barbican or avoid adding a dependency on it. When I've pressed the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to either replace Barbican or avoid adding a dependency on it. > When I've pressed the developers on this point, the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

g> Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > On 01/17/2017 07:57 AM, Ian Cordasco wrote: > > On Mon, Jan 16, 2017 at 6:20 PM, Amrith Kumar wrote: > >> Ian, > >> > >> This is a fascinating conversation.

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 07:19 PM, Joshua Harlow wrote: Fox, Kevin M wrote: Your right, it is not what the big tent was about, but the big tent had some unintended side affects. The list, as you stated: * No longer having a formal incubation and graduation period/review for applying projects * Having a

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/17/2017 07:57 AM, Ian Cordasco wrote: On Mon, Jan 16, 2017 at 6:20 PM, Amrith Kumar wrote: Ian, This is a fascinating conversation. Let me offer two observations. First, Trove has long debated the ideal solution for storing secrets. There have been many

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

:04 AM > *To:* OpenStack Development Mailing List (not for usage questions) > *Subject:* Re: [openstack-dev] [all] [barbican] [security] Why are > projects trying to avoid Barbican, still? > > > > On 17 January 2017 at 13:41, Dave McCowan (dmccowan) <dmcco...@cisco.com

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 1/17/17, 5:37 AM, "Thierry Carrez" wrote: >I think the focus question is an illusion, as Ed brilliantly explained >in https://blog.leafe.com/openstack-focus/ > >The issue here is that it's just a lot more profitable career-wise and a >lot less risky to work first-level

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

From: Duncan Thomas [duncan.tho...@gmail.com] Sent: Tuesday, January 17, 2017 6:04 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? On 17

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 08:35 AM, Ian Cordasco wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to either replace Barbican or avoid adding a dependency on it. > When I've pressed the developers on this point, the only answer I've > received is to

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Tue, Jan 17, 2017 at 8:04 AM, Duncan Thomas wrote: > controls than this, but they never showed up AFAIK. And that's just the > problem - people think 'Oh, barbican is storing the cinder volume secrets, > great, we're secure' when actually barbican has made the security

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 17 January 2017 at 13:41, Dave McCowan (dmccowan) wrote: > > I don't know everything that was proposed in the Juno timeframe, or > before, but the Nova and Cinder integration has been done now. The > documentation is at [1]. A cinder user can create an encryption key >

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

> >Date: January 16, 2017 at 13:03:41 >To: OpenStack Development Mailing List (not for usage questions) ><openstack-dev@lists.openstack.org> >Subject: Re: [openstack-dev] [all] [barbican] [security] Why are >projects trying to avoid Barbican, still? >> Yep. Barbican supp

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

16, 2017 at 5:33 PM To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? To give a tot

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Just a quick note on Castellan, at the moment it's not a particularly strong abstraction for key management in general, just the openstack key management interface. The reason this is important is because if I recall correctly, Castellan requires a keystone token for auth. It should be no suprise

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 6:20 PM, Amrith Kumar wrote: > Ian, > > This is a fascinating conversation. Let me offer two observations. > > First, Trove has long debated the ideal solution for storing secrets. There > have been many conversations, and Barbican has been

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 6:11 PM, Joshua Harlow wrote: >> Is the problem perhaps that no one is aware of other projects using >> Barbican? Is the status on the project navigator alarming (it looks >> like some of this information is potentially out of date)? Has >> Barbican

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 16/01/17 16:57 -0500, Jay Pipes wrote: On 01/16/2017 04:09 PM, Fox, Kevin M wrote: If the developers that had issue with the lack of functionality, contributed to Barbican rather then go off on their own, the problem would have been solved much more quickly. The lack of sharing means the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 17 Jan 2017, at 11:28, Maish Saidel-Keesing > wrote: Please see inline. On 17/01/17 9:36, Tim Bell wrote: ... Are we really talking about Barbican or has the conversation drifted towards Big Tent concerns? Perhaps we can flip this thread

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Qiming Teng wrote: > On Mon, Jan 16, 2017 at 08:21:02PM +, Fox, Kevin M wrote: >> IMO, This is why the big tent has been so damaging to OpenStack's progress. >> Instead of lifting the commons up, by requiring dependencies on other >> projects, there by making them commonly deployed and high

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Please see inline. On 17/01/17 9:36, Tim Bell wrote: > >> On 17 Jan 2017, at 01:19, Brandon B. Jozsa > > wrote: >> >> Inline >> >> On January 16, 2017 at 7:04:00 PM, Fox, Kevin M (kevin@pnnl.gov >> ) wrote: >> >>> >>>

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 17 Jan 2017, at 01:19, Brandon B. Jozsa > wrote: Inline On January 16, 2017 at 7:04:00 PM, Fox, Kevin M (kevin@pnnl.gov) wrote: I'm not stating that the big tent should be abolished and we go back to the way

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 08:21:02PM +, Fox, Kevin M wrote: > IMO, This is why the big tent has been so damaging to OpenStack's progress. > Instead of lifting the commons up, by requiring dependencies on other > projects, there by making them commonly deployed and high quality, post big >

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

the projects has been developed more than 3 years, unfortunately, they're not trusted, on the contrary, sometimes we're brave to use some 3rd party library very new. That's a little ironic. > > Thanks, > Kevin > ________________ > From: Jay Pipes [jaypi...@gmai

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

ling List (not for usage questions) > <openstack-dev@lists.openstack.org> > Subject: [openstack-dev] [all] [barbican] [security] Why are projects trying to > avoid Barbican, still? > > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Fox, Kevin M wrote: Your right, it is not what the big tent was about, but the big tent had some unintended side affects. The list, as you stated: * No longer having a formal incubation and graduation period/review for applying projects * Having a single, objective list of requirements and

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Inline On January 16, 2017 at 7:04:00 PM, Fox, Kevin M (kevin@pnnl.gov) wrote: I'm not stating that the big tent should be abolished and we go back to the way things were. But I also know the status quo is not working either. How do we fix this? Anyone have any

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Is the problem perhaps that no one is aware of other projects using Barbican? Is the status on the project navigator alarming (it looks like some of this information is potentially out of date)? Has Barbican been deemed too hard to deploy? I really want to understand why so many projects feel

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

_ From: Jay Pipes [jaypi...@gmail.com] Sent: Monday, January 16, 2017 1:57 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? On 01/16/2017 04:09 PM, Fox, Kevin M wrote: > If the developers t

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

The "single master token" issue is something I think a lot of services may suffer from, and it's definitely something the Barbican folks are aware of (I've made it a point to personally bring this up many times, including hijacking parts of the keystone and barbican sessions at the Tokyo, Austin,

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

To give a totally different prospective on why somebody might dislike Barbican (I'm one of those people). Note that I'm working from pretty hazy memories so I don't guarantee I've got everything spot on, and I am without a doubt giving a very one sided view. But hey, that's the side I happen to

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 04:09 PM, Fox, Kevin M wrote: If the developers that had issue with the lack of functionality, contributed to Barbican rather then go off on their own, the problem would have been solved much more quickly. The lack of sharing means the problems don't get fixed as fast. Agreed

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

to [adrian.o...@rackspace.com] > Sent: Monday, January 16, 2017 11:55 AM > To: OpenStack Development Mailing List (not for usage questions) > Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects > trying to avoid Barbican, still? > >> On Jan 16, 2017, at 1

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Tue, Jan 17, 2017 at 10:09 AM, Fox, Kevin M wrote: > As for operators, If the more common projects all started depending on it, > it would be commonly deployed. Would the operators deploy Barbican just for > Magnum? maybe not. maybe so. For Magnum, Ironic, and Sahara, more

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

t be on the list unless you reimplement the wheel. > My 2 cents. > Kevin > > > From: Chris Friesen [chris.frie...@windriver.com] > Sent: Monday, January 16, 2017 9:25 AM > To: openstack-dev@lists.openstack.org > Subject: Re: [openst

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

From: Adrian Otto [adrian.o...@rackspace.com] Sent: Monday, January 16, 2017 11:55 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > On Jan 16, 2017, at 11:02 AM, D

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

usage questions) > <openstack-dev@lists.openstack.org> > Date: January 16, 2017 at 11:26:41 > To: openstack-dev@lists.openstack.org <openstack-dev@lists.openstack. > org> > Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are > projects trying to avoid Barbic

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? On 01/16/2017 10:31 AM, Rob C wrote: > I think the main point has already been hit on, developers don't want to > require that Barbican be deployed in order for their service to be

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

enstack-dev@lists.openstack.org> > >> Date: January 16, 2017 at 10:33:20 > >> To: OpenStack Development Mailing List (not for usage questions) > >> <openstack-dev@lists.openstack.org> > >> Subject: Re: [openstack-dev] [all] [barbican] [security] Why are >

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

t;openstack-dev@lists.openstack.org> Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > Yep. Barbican supports four backend secret stores. [1] > > The first (Simple Crypto) is easy to deploy, but not extraordinarily > secure, s

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

> Reply: OpenStack Development Mailing List (not for usage questions) >> <openstack-dev@lists.openstack.org> >> Date: January 16, 2017 at 10:33:20 >> To: OpenStack Development Mailing List (not for usage questions) >> <openstack-dev@lists.openstack.org> >> Subjec

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

January 16, 2017 at 10:33:20 >To: OpenStack Development Mailing List (not for usage questions) ><openstack-dev@lists.openstack.org> >Subject: Re: [openstack-dev] [all] [barbican] [security] Why are >projects trying to avoid Barbican, still? > >> Thanks for raising this on the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

ck.org> Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > On 01/16/2017 10:31 AM, Rob C wrote: > > > I think the main point has already been hit on, developers don't want to > > require that Barbican be deployed in or

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

> > > The last I checked, Rob, they also support DogTag IPA which is purely > a Software based HSM. Hopefully the Barbican team can confirm this. > -- > Ian Cordasco > Yup, that's my understanding too. However, that requires Barbican _and_ Dogtag, an even bigger overhead. Especially as at least

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 10:31 AM, Rob C wrote: I think the main point has already been hit on, developers don't want to require that Barbican be deployed in order for their service to be used. I think that this is a perfectly reasonable stance for developers to take. As long as Barbican is an

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

s.openstack.org> Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > Thanks for raising this on the mailing list Ian, I too share some of > your consternation regarding this issue. > > I think the main point has already been

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

org> > Subject: Re: [openstack-dev] [all] [barbican] [security] Why are > projects trying to avoid Barbican, still? > > > On 16/01/2017 13:38, Ian Cordasco wrote: > > > Is the problem perhaps that no one is aware of other projects using > > > Barbican? Is th

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

t;openstack-dev@lists.openstack.org> Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > On 16/01/2017 13:38, Ian Cordasco wrote: > > Is the problem perhaps that no one is aware of other projects using > > Barbican? Is the status

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 16/01/2017 13:38, Ian Cordasco wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to either replace Barbican or avoid adding a dependency on it. > When I've pressed the developers on this point, the only answer I've > received is to make

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, 16 Jan 2017, Ian Cordasco wrote: I really want to understand why so many projects feel the need to implement their own secrets storage. This seems a bit short-sighted and foolish. While these projects are making themselves easier to deploy, if not done properly they are potentially

[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Hi everyone, I've seen a few nascent projects wanting to implement their own secret storage to either replace Barbican or avoid adding a dependency on it. When I've pressed the developers on this point, the only answer I've received is to make the operator's lives simpler. I've been struggling