Re: [openstack-dev] [Barbican] Barebones CA
Just a quick update on this, I started work on a basic plugin but quickly found I was running out of time. I handed over to Tim Kelsey, who had a few concerns about the plumbing required to make this work, I’ve CC’d him on this thread. -Rob On 28/06/2014 08:03, John Wood john.w...@rackspace.com wrote: Hello folks, Just trying clarify things...are we talking about a dev plugin to generate asymmetric keys, or else one to mimic working with a CA to create SSL certificates via workflow (so including firing off certificate-generated events, for example)? If we are talking about the former, then you would be interested in a plugin that implements a method such as this one: https://github.com/openstack/barbican/blob/master/barbican/plugin/interfac e/secret_store.py#L167 If you are talking about the latter, then that would be a different type of plugin that handles CA workflows, as proposed in this blueprint: https://review.openstack.org/#/c/99221/ Thanks, John From: Nathan Kinder [nkin...@redhat.com] Sent: Wednesday, June 25, 2014 9:43 PM To: OpenStack Development Mailing List (not for usage questions); a...@redhat.com Subject: Re: [openstack-dev] [Barbican] Barebones CA On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin infrastructure in Barbican recently. My understanding is that Barbican's plugin interface is currently in the midst of a redesign, so be careful not to copy something that will be changing shortly. -NGK Is this something you’d like a blueprint for first? -Rob On 25/06/2014 18:30, Ade Lee a...@redhat.com wrote: I think the plan is to create a Dogtag instance so that integration tests can be run whenever code is checked in (both with and without a Dogtag backend). Dogtag isn't that difficult to deploy, but being a Java app, it does bring in a set of dependencies that developers may not want to deal with for basic/ devstack testing. So, I agree that a simple OpenSSL CA may be useful at least initially as a 'dev' plugin. Ade On Wed, 2014-06-25 at 16:31 +, Jarret Raim wrote: Rob, RedHat is working on a backend for Dogtag, which should be capable of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work on, if work isn¹t ongoing already. -Rob On 24/06/2014 18:57, John Wood john.w...@rackspace.com wrote: Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I¹m sure this has been discussed somewhere and I¹ve just missed it. Is there any value in creating a basic ŒCA¹ and plugin to satisfy tests/integration in Barbican? I¹m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [openstack-dev] [Barbican] Barebones CA
Hello folks, Just trying clarify things...are we talking about a dev plugin to generate asymmetric keys, or else one to mimic working with a CA to create SSL certificates via workflow (so including firing off certificate-generated events, for example)? If we are talking about the former, then you would be interested in a plugin that implements a method such as this one: https://github.com/openstack/barbican/blob/master/barbican/plugin/interface/secret_store.py#L167 If you are talking about the latter, then that would be a different type of plugin that handles CA workflows, as proposed in this blueprint: https://review.openstack.org/#/c/99221/ Thanks, John From: Nathan Kinder [nkin...@redhat.com] Sent: Wednesday, June 25, 2014 9:43 PM To: OpenStack Development Mailing List (not for usage questions); a...@redhat.com Subject: Re: [openstack-dev] [Barbican] Barebones CA On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin infrastructure in Barbican recently. My understanding is that Barbican's plugin interface is currently in the midst of a redesign, so be careful not to copy something that will be changing shortly. -NGK Is this something you’d like a blueprint for first? -Rob On 25/06/2014 18:30, Ade Lee a...@redhat.com wrote: I think the plan is to create a Dogtag instance so that integration tests can be run whenever code is checked in (both with and without a Dogtag backend). Dogtag isn't that difficult to deploy, but being a Java app, it does bring in a set of dependencies that developers may not want to deal with for basic/ devstack testing. So, I agree that a simple OpenSSL CA may be useful at least initially as a 'dev' plugin. Ade On Wed, 2014-06-25 at 16:31 +, Jarret Raim wrote: Rob, RedHat is working on a backend for Dogtag, which should be capable of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work on, if work isn¹t ongoing already. -Rob On 24/06/2014 18:57, John Wood john.w...@rackspace.com wrote: Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I¹m sure this has been discussed somewhere and I¹ve just missed it. Is there any value in creating a basic ŒCA¹ and plugin to satisfy tests/integration in Barbican? I¹m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Barebones CA
On 26/06/2014 03:43, Nathan Kinder nkin...@redhat.com wrote: On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin infrastructure in Barbican recently. My understanding is that Barbican's plugin interface is currently in the midst of a redesign, so be careful not to copy something that will be changing shortly. -NGK Good point, thanks Nathan, I’ll try to keep the ‘do-poi-stuff’ bit nicely decoupled from the ‘barbican’ bit. Is this something you’d like a blueprint for first? -Rob On 25/06/2014 18:30, Ade Lee a...@redhat.com wrote: I think the plan is to create a Dogtag instance so that integration tests can be run whenever code is checked in (both with and without a Dogtag backend). Dogtag isn't that difficult to deploy, but being a Java app, it does bring in a set of dependencies that developers may not want to deal with for basic/ devstack testing. So, I agree that a simple OpenSSL CA may be useful at least initially as a 'dev' plugin. Ade On Wed, 2014-06-25 at 16:31 +, Jarret Raim wrote: Rob, RedHat is working on a backend for Dogtag, which should be capable of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work on, if work isn¹t ongoing already. -Rob On 24/06/2014 18:57, John Wood john.w...@rackspace.com wrote: Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I¹m sure this has been discussed somewhere and I¹ve just missed it. Is there any value in creating a basic ŒCA¹ and plugin to satisfy tests/integration in Barbican? I¹m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Barebones CA
I think the plan is to create a Dogtag instance so that integration tests can be run whenever code is checked in (both with and without a Dogtag backend). Dogtag isn't that difficult to deploy, but being a Java app, it does bring in a set of dependencies that developers may not want to deal with for basic/ devstack testing. So, I agree that a simple OpenSSL CA may be useful at least initially as a 'dev' plugin. Ade On Wed, 2014-06-25 at 16:31 +, Jarret Raim wrote: Rob, RedHat is working on a backend for Dogtag, which should be capable of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work on, if work isn¹t ongoing already. -Rob On 24/06/2014 18:57, John Wood john.w...@rackspace.com wrote: Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I¹m sure this has been discussed somewhere and I¹ve just missed it. Is there any value in creating a basic ŒCA¹ and plugin to satisfy tests/integration in Barbican? I¹m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Barebones CA
Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin infrastructure in Barbican recently. Is this something you’d like a blueprint for first? -Rob On 25/06/2014 18:30, Ade Lee a...@redhat.com wrote: I think the plan is to create a Dogtag instance so that integration tests can be run whenever code is checked in (both with and without a Dogtag backend). Dogtag isn't that difficult to deploy, but being a Java app, it does bring in a set of dependencies that developers may not want to deal with for basic/ devstack testing. So, I agree that a simple OpenSSL CA may be useful at least initially as a 'dev' plugin. Ade On Wed, 2014-06-25 at 16:31 +, Jarret Raim wrote: Rob, RedHat is working on a backend for Dogtag, which should be capable of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work on, if work isn¹t ongoing already. -Rob On 24/06/2014 18:57, John Wood john.w...@rackspace.com wrote: Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I¹m sure this has been discussed somewhere and I¹ve just missed it. Is there any value in creating a basic ŒCA¹ and plugin to satisfy tests/integration in Barbican? I¹m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Barebones CA
On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin infrastructure in Barbican recently. My understanding is that Barbican's plugin interface is currently in the midst of a redesign, so be careful not to copy something that will be changing shortly. -NGK Is this something you’d like a blueprint for first? -Rob On 25/06/2014 18:30, Ade Lee a...@redhat.com wrote: I think the plan is to create a Dogtag instance so that integration tests can be run whenever code is checked in (both with and without a Dogtag backend). Dogtag isn't that difficult to deploy, but being a Java app, it does bring in a set of dependencies that developers may not want to deal with for basic/ devstack testing. So, I agree that a simple OpenSSL CA may be useful at least initially as a 'dev' plugin. Ade On Wed, 2014-06-25 at 16:31 +, Jarret Raim wrote: Rob, RedHat is working on a backend for Dogtag, which should be capable of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work on, if work isn¹t ongoing already. -Rob On 24/06/2014 18:57, John Wood john.w...@rackspace.com wrote: Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I¹m sure this has been discussed somewhere and I¹ve just missed it. Is there any value in creating a basic ŒCA¹ and plugin to satisfy tests/integration in Barbican? I¹m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Barebones CA
Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I’m sure this has been discussed somewhere and I’ve just missed it. Is there any value in creating a basic ‘CA’ and plugin to satisfy tests/integration in Barbican? I’m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Barbican] Barebones CA
Yeah pretty much. That¹s something I¹d be interested to work on, if work isn¹t ongoing already. -Rob On 24/06/2014 18:57, John Wood john.w...@rackspace.com wrote: Hello Robert, I would actually hope we have a self-contained certificate plugin implementation that runs 'out of the box' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject: [openstack-dev] [Barbican] Barebones CA Hi all, I¹m sure this has been discussed somewhere and I¹ve just missed it. Is there any value in creating a basic ŒCA¹ and plugin to satisfy tests/integration in Barbican? I¹m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some things? -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev