Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Embrace the larger world instead of trying to recreate parts of it, create alliances with the CNCF and/or other companies The CNCF isn't a company... Yes, fair, good point, thanks for the correction. that are getting actively involved there and make bets that solutions there are things tha

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Wed, Jan 18, 2017 at 5:18 PM, Clint Byrum wrote: > Excerpts from Morgan Fainberg's message of 2017-01-18 15:33:00 -0800: > > On Wed, Jan 18, 2017 at 11:23 AM, Brant Knudson wrote: > > > > > > > > > > > On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) < > > > dmcco...@cisco.com> wrote:

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Excerpts from Morgan Fainberg's message of 2017-01-18 15:33:00 -0800: > On Wed, Jan 18, 2017 at 11:23 AM, Brant Knudson wrote: > > > > > > > On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) < > > dmcco...@cisco.com> wrote: > > > >> > >> On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco > >>

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Wed, Jan 18, 2017 at 11:23 AM, Brant Knudson wrote: > > > On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) < > dmcco...@cisco.com> wrote: > >> >> On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco >> wrote: >> >>> Hi everyone, >>> >>> I've seen a few nascent projects wanting to implement t

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 We've also talked about fancier non-keystone-auth like x.509 certificate s. - - Douglas On 1/18/17 11:52 AM, Clint Byrum wrote: > Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18 > 15:58:19 +: >> >> On Mon, Jan 16, 2017 at 7:35 AM

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

: OpenStack Development >> Mailing List (not for usage questions) >> Subject: Re: [openstack-dev] >> [all] [barbican] [security] Why are projects trying to avoid >> Barbican, still? >>> Yep. Barbican supports four backend secret stores. [1] >>> >>> The

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Wed, Jan 18, 2017 at 9:58 AM, Dave McCowan (dmccowan) wrote: > > On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco > wrote: > >> Hi everyone, >> >> I've seen a few nascent projects wanting to implement their own secret >> storage to either replace Barbican or avoid adding a dependency on it. >> W

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'm very much interested in an out-of-the-box software-only backend driver for Barbican. I think that one of the reasons people have been hesitant to deploy Barbican is that we claim that our Simple Crypto software-only driver is "not secure in any

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Excerpts from Dave McCowan (dmccowan)'s message of 2017-01-18 15:58:19 +: > > On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco > mailto:sigmaviru...@gmail.com>> wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to either replace Barbican

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco mailto:sigmaviru...@gmail.com>> wrote: Hi everyone, I've seen a few nascent projects wanting to implement their own secret storage to either replace Barbican or avoid adding a dependency on it. When I've pressed the developers on this point, the only

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 7:35 AM, Ian Cordasco wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to either replace Barbican or avoid adding a dependency on it. > When I've pressed the developers on this point, the only answer I've > received

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-Original Message- From: Jay Pipes Reply: OpenStack Development Mailing List (not for usage questions) Date: January 17, 2017 at 12:31:21 To: openstack-dev@lists.openstack.org Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 07:19 PM, Joshua Harlow wrote: Fox, Kevin M wrote: Your right, it is not what the big tent was about, but the big tent had some unintended side affects. The list, as you stated: * No longer having a formal incubation and graduation period/review for applying projects * Having a si

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/17/2017 07:57 AM, Ian Cordasco wrote: On Mon, Jan 16, 2017 at 6:20 PM, Amrith Kumar wrote: Ian, This is a fascinating conversation. Let me offer two observations. First, Trove has long debated the ideal solution for storing secrets. There have been many conversations, and Barbican has b

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

o:* OpenStack Development Mailing List (not for usage questions) > *Subject:* Re: [openstack-dev] [all] [barbican] [security] Why are > projects trying to avoid Barbican, still? > > > > On 17 January 2017 at 13:41, Dave McCowan (dmccowan) > wrote: > >> >> I don&#

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 1/17/17, 5:37 AM, "Thierry Carrez" wrote: >I think the focus question is an illusion, as Ed brilliantly explained >in https://blog.leafe.com/openstack-focus/ > >The issue here is that it's just a lot more profitable career-wise and a >lot less risky to work first-level user-visible features li

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

From: Duncan Thomas [duncan.tho...@gmail.com] Sent: Tuesday, January 17, 2017 6:04 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? On 17

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 08:35 AM, Ian Cordasco wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to either replace Barbican or avoid adding a dependency on it. > When I've pressed the developers on this point, the only answer I've > received is to mak

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Tue, Jan 17, 2017 at 8:04 AM, Duncan Thomas wrote: > controls than this, but they never showed up AFAIK. And that's just the > problem - people think 'Oh, barbican is storing the cinder volume secrets, > great, we're secure' when actually barbican has made the security situation > worse not bet

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 17 January 2017 at 13:41, Dave McCowan (dmccowan) wrote: > > I don't know everything that was proposed in the Juno timeframe, or > before, but the Nova and Cinder integration has been done now. The > documentation is at [1]. A cinder user can create an encryption key > through Barbican when

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

e questions) > >Subject: Re: [openstack-dev] [all] [barbican] [security] Why are >projects trying to avoid Barbican, still? >> Yep. Barbican supports four backend secret stores. [1] >> >> The first (Simple Crypto) is easy to deploy, but not extraordinarily >> secure,

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

estions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? To give a totally different prospective on why somebody might dislike Barbican (I'm one of those people). Note that

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Just a quick note on Castellan, at the moment it's not a particularly strong abstraction for key management in general, just the openstack key management interface. The reason this is important is because if I recall correctly, Castellan requires a keystone token for auth. It should be no suprise

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 6:20 PM, Amrith Kumar wrote: > Ian, > > This is a fascinating conversation. Let me offer two observations. > > First, Trove has long debated the ideal solution for storing secrets. There > have been many conversations, and Barbican has been considered many times. > We sough

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 6:11 PM, Joshua Harlow wrote: >> Is the problem perhaps that no one is aware of other projects using >> Barbican? Is the status on the project navigator alarming (it looks >> like some of this information is potentially out of date)? Has >> Barbican been deemed too hard to

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 16/01/17 16:57 -0500, Jay Pipes wrote: On 01/16/2017 04:09 PM, Fox, Kevin M wrote: If the developers that had issue with the lack of functionality, contributed to Barbican rather then go off on their own, the problem would have been solved much more quickly. The lack of sharing means the prob

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 17 Jan 2017, at 11:28, Maish Saidel-Keesing mailto:mais...@maishsk.com>> wrote: Please see inline. On 17/01/17 9:36, Tim Bell wrote: ... Are we really talking about Barbican or has the conversation drifted towards Big Tent concerns? Perhaps we can flip this thread on it’s head and more p

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Qiming Teng wrote: > On Mon, Jan 16, 2017 at 08:21:02PM +, Fox, Kevin M wrote: >> IMO, This is why the big tent has been so damaging to OpenStack's progress. >> Instead of lifting the commons up, by requiring dependencies on other >> projects, there by making them commonly deployed and high q

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Please see inline. On 17/01/17 9:36, Tim Bell wrote: > >> On 17 Jan 2017, at 01:19, Brandon B. Jozsa > > wrote: >> >> Inline >> >> On January 16, 2017 at 7:04:00 PM, Fox, Kevin M (kevin@pnnl.gov >> ) wrote: >> >>> >>> I'm not stating that t

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 17 Jan 2017, at 01:19, Brandon B. Jozsa mailto:bjo...@jinkit.com>> wrote: Inline On January 16, 2017 at 7:04:00 PM, Fox, Kevin M (kevin@pnnl.gov) wrote: I'm not stating that the big tent should be abolished and we go back to the way things were. But I also

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, Jan 16, 2017 at 08:21:02PM +, Fox, Kevin M wrote: > IMO, This is why the big tent has been so damaging to OpenStack's progress. > Instead of lifting the commons up, by requiring dependencies on other > projects, there by making them commonly deployed and high quality, post big > tent

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

igator/ most of the projects has been developed more than 3 years, unfortunately, they're not trusted, on the contrary, sometimes we're brave to use some 3rd party library very new. That's a little ironic. > > Thanks, > Kevin > ________________________ >

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Sent: Monday, January 16, 2017 8:36 AM > To: OpenStack Development Mailing List (not for usage questions) > > Subject: [openstack-dev] [all] [barbican] [security] Why are projects trying to > avoid Barbican, still? > > Hi everyone, > > I've seen a few nascent projects wanti

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Fox, Kevin M wrote: Your right, it is not what the big tent was about, but the big tent had some unintended side affects. The list, as you stated: * No longer having a formal incubation and graduation period/review for applying projects * Having a single, objective list of requirements and resp

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Inline On January 16, 2017 at 7:04:00 PM, Fox, Kevin M (kevin@pnnl.gov) wrote: I'm not stating that the big tent should be abolished and we go back to the way things were. But I also know the status quo is not working either. How do we fix this? Anyone have any

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Is the problem perhaps that no one is aware of other projects using Barbican? Is the status on the project navigator alarming (it looks like some of this information is potentially out of date)? Has Barbican been deemed too hard to deploy? I really want to understand why so many projects feel the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

From: Jay Pipes [jaypi...@gmail.com] Sent: Monday, January 16, 2017 1:57 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? On 01/16/2017 04:09 PM, Fox, Kevin M wrote: > If the de

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

The "single master token" issue is something I think a lot of services may suffer from, and it's definitely something the Barbican folks are aware of (I've made it a point to personally bring this up many times, including hijacking parts of the keystone and barbican sessions at the Tokyo, Austin, a

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

To give a totally different prospective on why somebody might dislike Barbican (I'm one of those people). Note that I'm working from pretty hazy memories so I don't guarantee I've got everything spot on, and I am without a doubt giving a very one sided view. But hey, that's the side I happen to sit

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 04:09 PM, Fox, Kevin M wrote: If the developers that had issue with the lack of functionality, contributed to Barbican rather then go off on their own, the problem would have been solved much more quickly. The lack of sharing means the problems don't get fixed as fast. Agreed co

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

__ > From: Adrian Otto [adrian.o...@rackspace.com] > Sent: Monday, January 16, 2017 11:55 AM > To: OpenStack Development Mailing List (not for usage questions) > Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects > trying to av

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Tue, Jan 17, 2017 at 10:09 AM, Fox, Kevin M wrote: > As for operators, If the more common projects all started depending on it, > it would be commonly deployed. Would the operators deploy Barbican just for > Magnum? maybe not. maybe so. For Magnum, Ironic, and Sahara, more likely . > Would the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

roject may won't be on the list unless you reimplement the wheel. > My 2 cents. > Kevin > > > From: Chris Friesen [chris.frie...@windriver.com] > Sent: Monday, January 16, 2017 9:25 AM > To: openstack-dev@lists.openstack.org > Subject:

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Kevin From: Adrian Otto [adrian.o...@rackspace.com] Sent: Monday, January 16, 2017 11:55 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > On Jan 16, 2017, at 11:02

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

e: January 16, 2017 at 11:26:41 > To: openstack-dev@lists.openstack.org org> > Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are > projects trying to avoid Barbican, still? > > > > > On 01/16/2017 10:31 AM, Rob C wrote: > > > > > >

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

ject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? On 01/16/2017 10:31 AM, Rob C wrote: > I think the main point has already been hit on, developers don't want to > require that Barbican be deployed in order for their service to be

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

ailing List (not for usage questions) > >> > >> Subject: Re: [openstack-dev] [all] [barbican] [security] Why are > >> projects trying to avoid Barbican, still? > >> > >>> Thanks for raising this on the mailing list Ian, I too share some of > >&g

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-Original Message- From: Dave McCowan (dmccowan) Reply: OpenStack Development Mailing List (not for usage questions) Date: January 16, 2017 at 13:03:41 To: OpenStack Development Mailing List (not for usage questions) Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

gt; Date: January 16, 2017 at 10:33:20 >> To: OpenStack Development Mailing List (not for usage questions) >> >> Subject: Re: [openstack-dev] [all] [barbican] [security] Why are >> projects trying to avoid Barbican, still? >> >>> Thanks for raising this on the

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

; >Subject: Re: [openstack-dev] [all] [barbican] [security] Why are >projects trying to avoid Barbican, still? > >> Thanks for raising this on the mailing list Ian, I too share some of >> your consternation regarding this issue. >> >> I think the main point has alread

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-Original Message- From: Chris Friesen Reply: OpenStack Development Mailing List (not for usage questions) Date: January 16, 2017 at 11:26:41 To: openstack-dev@lists.openstack.org Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

> > > The last I checked, Rob, they also support DogTag IPA which is purely > a Software based HSM. Hopefully the Barbican team can confirm this. > -- > Ian Cordasco > Yup, that's my understanding too. However, that requires Barbican _and_ Dogtag, an even bigger overhead. Especially as at least hi

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 01/16/2017 10:31 AM, Rob C wrote: I think the main point has already been hit on, developers don't want to require that Barbican be deployed in order for their service to be used. I think that this is a perfectly reasonable stance for developers to take. As long as Barbican is an optional

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-Original Message- From: Rob C Reply: OpenStack Development Mailing List (not for usage questions) Date: January 16, 2017 at 10:33:20 To: OpenStack Development Mailing List (not for usage questions) Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

OpenStack Development Mailing List (not for usage questions) > > Date: January 16, 2017 at 09:26:00 > To: OpenStack Development Mailing List (not for usage questions) > > Subject: Re: [openstack-dev] [all] [barbican] [security] Why are > projects trying to avoid Barbican,

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

-Original Message- From: Hayes, Graham Reply: OpenStack Development Mailing List (not for usage questions) Date: January 16, 2017 at 09:26:00 To: OpenStack Development Mailing List (not for usage questions) Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are projects

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On 16/01/2017 13:38, Ian Cordasco wrote: > Hi everyone, > > I've seen a few nascent projects wanting to implement their own secret > storage to either replace Barbican or avoid adding a dependency on it. > When I've pressed the developers on this point, the only answer I've > received is to make th

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

On Mon, 16 Jan 2017, Ian Cordasco wrote: I really want to understand why so many projects feel the need to implement their own secrets storage. This seems a bit short-sighted and foolish. While these projects are making themselves easier to deploy, if not done properly they are potentially endan

[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Hi everyone, I've seen a few nascent projects wanting to implement their own secret storage to either replace Barbican or avoid adding a dependency on it. When I've pressed the developers on this point, the only answer I've received is to make the operator's lives simpler. I've been struggling to