Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-14 Thread Douglas Mendizábal
t;>>>> it is disallowed, I will suggest Magnum team to pursue >>>>> other options. >>>>> >>>>> So, for the original question, does Keystone team allow us >>>>> to store encrypted data in Keystone? A point of view is >

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-14 Thread Hongbin Lu
am > >> allows us to pursue the first option. If it is disallowed, I will > >> suggest Magnum team to pursue other options. > >> > >> So, for the original question, does Keystone team allow us to store > >> encrypted data in Keystone? A point of vie

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-14 Thread Nathan Reller
ring un-encrypted data). Would I >> confirm if Keystone team agrees (or doesn’t disagree) with this >> point of view? >> >> >> >> [1] https://etherpad.openstack.org/p/magnum-barbican-alternative >> >> >> >> Best regards, >> &g

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Douglas Mendizábal
point of view? > > > > [1] https://etherpad.openstack.org/p/magnum-barbican-alternative > > > > Best regards, > > Hongbin > > > > *From:*Morgan Fainberg [mailto:morgan.fainb...@gmail.com] *Sent:* > April-13-16 12:08 AM *To:* OpenStack Development Maili

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Clint Byrum
Excerpts from Clayton O'Neill's message of 2016-04-13 07:37:16 -0700: > On Wed, Apr 13, 2016 at 10:26 AM, rezroo wrote: > > Hi Kevin, > > > > I understand that this is how it is now. My question is how bad would it be > > to wrap the Barbican client library calls in another

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Clint Byrum
Excerpts from Douglas Mendizábal's message of 2016-04-13 10:01:21 -0700: > Hash: SHA512 > > Hi Reza, > > The Barbican team has already abstracted python-barbicanclient into a > general purpose key-storage library called Castellan [1] > > There are a few OpenStack projects that have planned to

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Douglas Mendizábal
dy had >>> to deploy. Ive deployed both ha setups and barbican before. Ha >>> is way worse. >>> >>> Thanks, Kevin >>> >>> * >>> >>> * >>> - >&

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Fox, Kevin M
: Wednesday, April 13, 2016 7:37 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates On Wed, Apr 13, 2016 at 10:26 AM, rezroo <openst...@roodsari.us> wrote: > Hi Kev

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Adam Young
On 04/12/2016 03:43 PM, Hongbin Lu wrote: Hi all, In short, some Magnum team members proposed to store TLS certificates in Keystone credential store. As Magnum PTL, I want to get agreements (or non-disagreement) from OpenStack community in general, Keystone community in particular, before

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Ian Cordasco
t;openstack-dev@lists.openstack.org> Subject:  Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates > I think we need to ask who we are lowering the barrier of entry for. Are we > going down this path because we want developers to have less th

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Lance Bragstad
I think we need to ask who we are lowering the barrier of entry for. Are we going down this path because we want developers to have less things to do to stand up a development environment? Or do we want to make it easy for people to realistically test? If you're going to realistically vet magnum,

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Ian Cordasco
t;openstack-dev@lists.openstack.org> Subject:  Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates > On Wed, Apr 13, 2016 at 10:26 AM, rezroo wrote: > > Hi Kevin, > > > > I understand that this is how it is now. My question is how b

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Hongbin Lu
To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates On Tue, Apr 12, 2016 at 8:06 PM, Adrian Otto <adrian.o...@rackspace.com<mailto:adrian.o...@rackspace.com>> wrote: Pleas

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Clayton O'Neill
On Wed, Apr 13, 2016 at 10:26 AM, rezroo wrote: > Hi Kevin, > > I understand that this is how it is now. My question is how bad would it be > to wrap the Barbican client library calls in another class and claim, for > all practical purposes, that Magnum has no direct

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread rezroo
m:* Adrian Otto *Sent:* Tuesday, April 12, 2016 8:06:03 PM *To:* OpenStack Development Mailing List (not for usage questions) *Subject:* Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates Please don't miss the point here. We are seeking

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread Fox, Kevin M
8:06:03 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates Please don't miss the point here. We are seeking a solution that allows a location to place a client side encrypted bl

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-13 Thread rezroo
, April 12, 2016 8:06:03 PM *To:* OpenStack Development Mailing List (not for usage questions) *Subject:* Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates Please don't miss the point here. We are seeking a solution that allows a location to plac

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-12 Thread Fox, Kevin M
ha setups and barbican before. Ha is way worse. Thanks, Kevin From: Adrian Otto Sent: Tuesday, April 12, 2016 8:06:03 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-12 Thread Morgan Fainberg
On Tue, Apr 12, 2016 at 8:06 PM, Adrian Otto wrote: > Please don't miss the point here. We are seeking a solution that allows a > location to place a client side encrypted blob of data (A TLS cert) that > multiple magnum-conductor processes on different hosts can reach

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-12 Thread Adrian Otto
Please don't miss the point here. We are seeking a solution that allows a location to place a client side encrypted blob of data (A TLS cert) that multiple magnum-conductor processes on different hosts can reach over the network. We *already* support using Barbican for this purpose, as well as

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-12 Thread Dolph Mathews
On Tue, Apr 12, 2016 at 3:27 PM, Lance Bragstad wrote: > Keystone's credential API pre-dates barbican. We started talking about > having the credential API back to barbican after it was a thing. I'm not > sure if any work has been done to move the credential API in this >

Re: [openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-12 Thread Lance Bragstad
Keystone's credential API pre-dates barbican. We started talking about having the credential API back to barbican after it was a thing. I'm not sure if any work has been done to move the credential API in this direction. From a security perspective, I think it would make sense for keystone to back

[openstack-dev] [magnum][keystone][all] Using Keystone /v3/credentials to store TLS certificates

2016-04-12 Thread Hongbin Lu
Hi all, In short, some Magnum team members proposed to store TLS certificates in Keystone credential store. As Magnum PTL, I want to get agreements (or non-disagreement) from OpenStack community in general, Keystone community in particular, before approving the direction. In details, Magnum