Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-12 Thread Clint Byrum
I tend to agree with you Keith, securing Heat is Heat's problem. Securing Nova is nova's problem. And I too would expect that those with admin access to Heat, would not have admin access to Nova. That is why we split these things up with API's. I still prefer that users encrypt secrets on the

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-11 Thread Keith Bray
On 6/11/14 2:43 AM, Steven Hardy sha...@redhat.com wrote: IMO, when a template author marks a parameter as hidden/secret, it seems incorrect to store that information in plain text. Well I'd still question why we're doing this, as my previous questions have not been answered: - AFAIK nova

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-11 Thread Steven Hardy
On Tue, Jun 10, 2014 at 05:24:36PM +, Vijendar Komalla wrote: Hi Devs/All, Does any one have comments/objections for following interim solution? 1. Add a config option to enable/disable parameter encryption and set default value to disable 2. Encrypt parameters that were marked as hidden

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-05 Thread Steven Hardy
On Thu, Jun 05, 2014 at 12:17:07AM +, Randall Burt wrote: On Jun 4, 2014, at 7:05 PM, Clint Byrum cl...@fewbar.com wrote: Excerpts from Zane Bitter's message of 2014-06-04 16:19:05 -0700: On 04/06/14 15:58, Vijendar Komalla wrote: Hi Devs, I have submitted an WIP review

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-05 Thread Clint Byrum
Excerpts from Steven Hardy's message of 2014-06-05 02:23:40 -0700: On Thu, Jun 05, 2014 at 12:17:07AM +, Randall Burt wrote: On Jun 4, 2014, at 7:05 PM, Clint Byrum cl...@fewbar.com wrote: Excerpts from Zane Bitter's message of 2014-06-04 16:19:05 -0700: On 04/06/14 15:58,

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-05 Thread Vijendar Komalla
I am not sure when Barbican would be stable/ready. As an interim solution, what do you guys think about having a config option to enable/disable parameter encryption (along with my current implementation)? On 6/5/14 4:23 AM, Steven Hardy sha...@redhat.com wrote: On Thu, Jun 05, 2014 at

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-04 Thread Clint Byrum
Excerpts from Zane Bitter's message of 2014-06-04 16:19:05 -0700: On 04/06/14 15:58, Vijendar Komalla wrote: Hi Devs, I have submitted an WIP review (https://review.openstack.org/#/c/97900/) for Heat parameters encryption blueprint

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-04 Thread Randall Burt
On Jun 4, 2014, at 7:05 PM, Clint Byrum cl...@fewbar.com wrote: Excerpts from Zane Bitter's message of 2014-06-04 16:19:05 -0700: On 04/06/14 15:58, Vijendar Komalla wrote: Hi Devs, I have submitted an WIP review (https://review.openstack.org/#/c/97900/) for Heat parameters encryption

Re: [openstack-dev] [Heat]Heat template parameters encryption

2014-06-04 Thread Randall Burt
On Jun 4, 2014, at 7:30 PM, Clint Byrum cl...@fewbar.com wrote: Excerpts from Randall Burt's message of 2014-06-04 17:17:07 -0700: On Jun 4, 2014, at 7:05 PM, Clint Byrum cl...@fewbar.com wrote: Excerpts from Zane Bitter's message of 2014-06-04 16:19:05 -0700: On 04/06/14 15:58, Vijendar