Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
I have been a fan of this from the very beginning of the project as well. I think oslo is the obvious correct place for a library that should define core interfaces for use by many openstack projects. Also, whether you have seen it or not, I have *definitely* seen real instances where people shied away from using castellan or contributing to it because it seemed "no different than just barbican, created and owned by the same people". That was never the goal, and though it's difficult to point to specific instances, there were many times during discussions that I thought explaining it was part of oslo would have totally changed the tone and direction of the conversation. The naming of things is no joke -- there is significant psychological emphasis given to the "name of a thing" that can be seen in many cultures all through literature and tradition. Some of you may think of this as a meaningless gesture, but I am personally very sure it is not. +1 from me as an interested user/contributor. Personally I'd go in for the complete rename to oslo.keymanager, but just oslo is a good start. --Adam Harwell On Wed, Mar 22, 2017, 00:34 Flavio Percocowrote: > On 16/03/17 12:43 -0400, Davanum Srinivas wrote: > >+1 from me to bring castellan under Oslo governance with folks from > >both oslo and Barbican as reviewers without a project rename. Let's > >see if that helps get more adoption of castellan > > This sounds like a great path forward! +1 > > Flavio > > >Thanks, > >Dims > > > >On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M. > > wrote: > >> This thread has generated quite the discussion, so I will try to > >> address a few points in this email, echoing a lot of what Dave said. > >> > >> Clint originally explained what we are trying to solve very well. The > hope was > >> that the rename would emphasize that Castellan is just a basic > >> interface that supports operations common between key managers > >> (the existing Barbican back end and other back ends that may exist > >> in the future), much like oslo.db supports the common operations > >> between PostgreSQL and MySQL. The thought was that renaming to have > >> oslo part of the name would help reinforce that it's just an interface, > >> rather than a standalone key manager. Right now, the only Castellan > >> back end that would work in DevStack is Barbican. There has been talk > >> in the past for creating other Castellan back ends (Vault or Tang), but > >> no one has committed to writing the code for those yet. > >> > >> The intended proposal was to rename the project, maintain the current > >> review team (which is only a handful of Barbican people), and bring on > >> a few Oslo folks, if any were available and interested, to give advice > >> about (and +2s for) OpenStack library best practices. However, perhaps > >> pulling it under oslo's umbrella without a rename is blessing it enough. > >> > >> In response to Julien's proposal to make Castellan "the way you can do > >> key management in Python" -- it would be great if Castellan were that > >> abstract, but in practice it is pretty OpenStack-specific. Currently, > >> the Barbican team is great at working on key management projects > >> (including both Barbican and Castellan), but a lot of our focus now is > >> how we can maintain and grow integration with the rest of the OpenStack > >> projects, for which having the name and expertise of oslo would be a > >> great help. > >> > >> Thanks, > >> > >> Kaitlin > >> > __ > >> OpenStack Development Mailing List (not for usage questions) > >> Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > > >-- > >Davanum Srinivas :: https://twitter.com/dims > > > >__ > >OpenStack Development Mailing List (not for usage questions) > >Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- > @flaper87 > Flavio Percoco > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On 16/03/17 12:43 -0400, Davanum Srinivas wrote: +1 from me to bring castellan under Oslo governance with folks from both oslo and Barbican as reviewers without a project rename. Let's see if that helps get more adoption of castellan This sounds like a great path forward! +1 Flavio Thanks, Dims On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M.wrote: This thread has generated quite the discussion, so I will try to address a few points in this email, echoing a lot of what Dave said. Clint originally explained what we are trying to solve very well. The hope was that the rename would emphasize that Castellan is just a basic interface that supports operations common between key managers (the existing Barbican back end and other back ends that may exist in the future), much like oslo.db supports the common operations between PostgreSQL and MySQL. The thought was that renaming to have oslo part of the name would help reinforce that it's just an interface, rather than a standalone key manager. Right now, the only Castellan back end that would work in DevStack is Barbican. There has been talk in the past for creating other Castellan back ends (Vault or Tang), but no one has committed to writing the code for those yet. The intended proposal was to rename the project, maintain the current review team (which is only a handful of Barbican people), and bring on a few Oslo folks, if any were available and interested, to give advice about (and +2s for) OpenStack library best practices. However, perhaps pulling it under oslo's umbrella without a rename is blessing it enough. In response to Julien's proposal to make Castellan "the way you can do key management in Python" -- it would be great if Castellan were that abstract, but in practice it is pretty OpenStack-specific. Currently, the Barbican team is great at working on key management projects (including both Barbican and Castellan), but a lot of our focus now is how we can maintain and grow integration with the rest of the OpenStack projects, for which having the name and expertise of oslo would be a great help. Thanks, Kaitlin __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- @flaper87 Flavio Percoco signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On Mon, Mar 20, 2017 at 12:23 PM, Dave McCowan (dmccowan)wrote: > +1 from me. That looks easy to implement and maintain. > > On 3/20/17, 2:49 PM, "Davanum Srinivas" wrote: > >>Dave, >> >>Here's the precendent from oslo.policy: >>https://review.openstack.org/#/admin/groups/556,members >> >>The reason for setting it up this way with individuals + oslo core + >>keystone core is to make sure both core teams are involved in the >>review process and any future contributors who are not part of either >>team can be give core rights in oslo.policy. >> >>Is it ok to continue this model? >> >>Thanks, >>Dims >> >>On Mon, Mar 20, 2017 at 9:20 AM, Dave McCowan (dmccowan) >> wrote: >>> This sounds good to me. I see it as a "promotion" for Castellan into >>>the >>> core of OpenStack. I think a good first step in this direction is to >>> create a castellan-drivers team in Launchpad and a castellan-core team >>>in >>> Gerrit. We can seed the list with Barbican core reviewers and any Oslo >>> volunteers. >>> >>> The Barbican/Castellan weekly IRC meeting is today at 2000UTC in >>> #openstack-meeting-alt, if anyone want to join to discuss. >>> >>> Thanks! >>> dave-mccowan >>> >>> On 3/16/17, 12:43 PM, "Davanum Srinivas" wrote: >>> +1 from me to bring castellan under Oslo governance with folks from both oslo and Barbican as reviewers without a project rename. Let's see if that helps get more adoption of castellan Thanks, Dims On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M. wrote: > This thread has generated quite the discussion, so I will try to > address a few points in this email, echoing a lot of what Dave said. > > Clint originally explained what we are trying to solve very well. The >hope was > that the rename would emphasize that Castellan is just a basic > interface that supports operations common between key managers > (the existing Barbican back end and other back ends that may exist > in the future), much like oslo.db supports the common operations > between PostgreSQL and MySQL. The thought was that renaming to have > oslo part of the name would help reinforce that it's just an >interface, > rather than a standalone key manager. Right now, the only Castellan > back end that would work in DevStack is Barbican. There has been talk > in the past for creating other Castellan back ends (Vault or Tang), >but > no one has committed to writing the code for those yet. > > The intended proposal was to rename the project, maintain the current > review team (which is only a handful of Barbican people), and bring on > a few Oslo folks, if any were available and interested, to give advice > about (and +2s for) OpenStack library best practices. However, perhaps > pulling it under oslo's umbrella without a rename is blessing it >enough. > > In response to Julien's proposal to make Castellan "the way you can do > key management in Python" -- it would be great if Castellan were that > abstract, but in practice it is pretty OpenStack-specific. Currently, > the Barbican team is great at working on key management projects > (including both Barbican and Castellan), but a lot of our focus now is > how we can maintain and grow integration with the rest of the >OpenStack > projects, for which having the name and expertise of oslo would be a > great help. > > Thanks, > > Kaitlin > >___ >__ >_ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: >openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >>> >>>_ >>>_ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> >>-- >>Davanum Srinivas :: https://twitter.com/dims >> >>__ >>OpenStack Development Mailing List (not for usage questions) >>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > >
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
+1 from me. That looks easy to implement and maintain. On 3/20/17, 2:49 PM, "Davanum Srinivas"wrote: >Dave, > >Here's the precendent from oslo.policy: >https://review.openstack.org/#/admin/groups/556,members > >The reason for setting it up this way with individuals + oslo core + >keystone core is to make sure both core teams are involved in the >review process and any future contributors who are not part of either >team can be give core rights in oslo.policy. > >Is it ok to continue this model? > >Thanks, >Dims > >On Mon, Mar 20, 2017 at 9:20 AM, Dave McCowan (dmccowan) > wrote: >> This sounds good to me. I see it as a "promotion" for Castellan into >>the >> core of OpenStack. I think a good first step in this direction is to >> create a castellan-drivers team in Launchpad and a castellan-core team >>in >> Gerrit. We can seed the list with Barbican core reviewers and any Oslo >> volunteers. >> >> The Barbican/Castellan weekly IRC meeting is today at 2000UTC in >> #openstack-meeting-alt, if anyone want to join to discuss. >> >> Thanks! >> dave-mccowan >> >> On 3/16/17, 12:43 PM, "Davanum Srinivas" wrote: >> >>>+1 from me to bring castellan under Oslo governance with folks from >>>both oslo and Barbican as reviewers without a project rename. Let's >>>see if that helps get more adoption of castellan >>> >>>Thanks, >>>Dims >>> >>>On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M. >>> wrote: This thread has generated quite the discussion, so I will try to address a few points in this email, echoing a lot of what Dave said. Clint originally explained what we are trying to solve very well. The hope was that the rename would emphasize that Castellan is just a basic interface that supports operations common between key managers (the existing Barbican back end and other back ends that may exist in the future), much like oslo.db supports the common operations between PostgreSQL and MySQL. The thought was that renaming to have oslo part of the name would help reinforce that it's just an interface, rather than a standalone key manager. Right now, the only Castellan back end that would work in DevStack is Barbican. There has been talk in the past for creating other Castellan back ends (Vault or Tang), but no one has committed to writing the code for those yet. The intended proposal was to rename the project, maintain the current review team (which is only a handful of Barbican people), and bring on a few Oslo folks, if any were available and interested, to give advice about (and +2s for) OpenStack library best practices. However, perhaps pulling it under oslo's umbrella without a rename is blessing it enough. In response to Julien's proposal to make Castellan "the way you can do key management in Python" -- it would be great if Castellan were that abstract, but in practice it is pretty OpenStack-specific. Currently, the Barbican team is great at working on key management projects (including both Barbican and Castellan), but a lot of our focus now is how we can maintain and grow integration with the rest of the OpenStack projects, for which having the name and expertise of oslo would be a great help. Thanks, Kaitlin ___ __ _ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >>> >>>-- >>>Davanum Srinivas :: https://twitter.com/dims >>> >>> >>>__ >>>OpenStack Development Mailing List (not for usage questions) >>>Unsubscribe: >>>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> >>_ >>_ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > >-- >Davanum Srinivas :: https://twitter.com/dims > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Dave, Here's the precendent from oslo.policy: https://review.openstack.org/#/admin/groups/556,members The reason for setting it up this way with individuals + oslo core + keystone core is to make sure both core teams are involved in the review process and any future contributors who are not part of either team can be give core rights in oslo.policy. Is it ok to continue this model? Thanks, Dims On Mon, Mar 20, 2017 at 9:20 AM, Dave McCowan (dmccowan)wrote: > This sounds good to me. I see it as a "promotion" for Castellan into the > core of OpenStack. I think a good first step in this direction is to > create a castellan-drivers team in Launchpad and a castellan-core team in > Gerrit. We can seed the list with Barbican core reviewers and any Oslo > volunteers. > > The Barbican/Castellan weekly IRC meeting is today at 2000UTC in > #openstack-meeting-alt, if anyone want to join to discuss. > > Thanks! > dave-mccowan > > On 3/16/17, 12:43 PM, "Davanum Srinivas" wrote: > >>+1 from me to bring castellan under Oslo governance with folks from >>both oslo and Barbican as reviewers without a project rename. Let's >>see if that helps get more adoption of castellan >> >>Thanks, >>Dims >> >>On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M. >> wrote: >>> This thread has generated quite the discussion, so I will try to >>> address a few points in this email, echoing a lot of what Dave said. >>> >>> Clint originally explained what we are trying to solve very well. The >>>hope was >>> that the rename would emphasize that Castellan is just a basic >>> interface that supports operations common between key managers >>> (the existing Barbican back end and other back ends that may exist >>> in the future), much like oslo.db supports the common operations >>> between PostgreSQL and MySQL. The thought was that renaming to have >>> oslo part of the name would help reinforce that it's just an interface, >>> rather than a standalone key manager. Right now, the only Castellan >>> back end that would work in DevStack is Barbican. There has been talk >>> in the past for creating other Castellan back ends (Vault or Tang), but >>> no one has committed to writing the code for those yet. >>> >>> The intended proposal was to rename the project, maintain the current >>> review team (which is only a handful of Barbican people), and bring on >>> a few Oslo folks, if any were available and interested, to give advice >>> about (and +2s for) OpenStack library best practices. However, perhaps >>> pulling it under oslo's umbrella without a rename is blessing it enough. >>> >>> In response to Julien's proposal to make Castellan "the way you can do >>> key management in Python" -- it would be great if Castellan were that >>> abstract, but in practice it is pretty OpenStack-specific. Currently, >>> the Barbican team is great at working on key management projects >>> (including both Barbican and Castellan), but a lot of our focus now is >>> how we can maintain and grow integration with the rest of the OpenStack >>> projects, for which having the name and expertise of oslo would be a >>> great help. >>> >>> Thanks, >>> >>> Kaitlin >>> >>>_ >>>_ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> >>-- >>Davanum Srinivas :: https://twitter.com/dims >> >>__ >>OpenStack Development Mailing List (not for usage questions) >>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
This sounds good to me. I see it as a "promotion" for Castellan into the core of OpenStack. I think a good first step in this direction is to create a castellan-drivers team in Launchpad and a castellan-core team in Gerrit. We can seed the list with Barbican core reviewers and any Oslo volunteers. The Barbican/Castellan weekly IRC meeting is today at 2000UTC in #openstack-meeting-alt, if anyone want to join to discuss. Thanks! dave-mccowan On 3/16/17, 12:43 PM, "Davanum Srinivas"wrote: >+1 from me to bring castellan under Oslo governance with folks from >both oslo and Barbican as reviewers without a project rename. Let's >see if that helps get more adoption of castellan > >Thanks, >Dims > >On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M. > wrote: >> This thread has generated quite the discussion, so I will try to >> address a few points in this email, echoing a lot of what Dave said. >> >> Clint originally explained what we are trying to solve very well. The >>hope was >> that the rename would emphasize that Castellan is just a basic >> interface that supports operations common between key managers >> (the existing Barbican back end and other back ends that may exist >> in the future), much like oslo.db supports the common operations >> between PostgreSQL and MySQL. The thought was that renaming to have >> oslo part of the name would help reinforce that it's just an interface, >> rather than a standalone key manager. Right now, the only Castellan >> back end that would work in DevStack is Barbican. There has been talk >> in the past for creating other Castellan back ends (Vault or Tang), but >> no one has committed to writing the code for those yet. >> >> The intended proposal was to rename the project, maintain the current >> review team (which is only a handful of Barbican people), and bring on >> a few Oslo folks, if any were available and interested, to give advice >> about (and +2s for) OpenStack library best practices. However, perhaps >> pulling it under oslo's umbrella without a rename is blessing it enough. >> >> In response to Julien's proposal to make Castellan "the way you can do >> key management in Python" -- it would be great if Castellan were that >> abstract, but in practice it is pretty OpenStack-specific. Currently, >> the Barbican team is great at working on key management projects >> (including both Barbican and Castellan), but a lot of our focus now is >> how we can maintain and grow integration with the rest of the OpenStack >> projects, for which having the name and expertise of oslo would be a >> great help. >> >> Thanks, >> >> Kaitlin >> >>_ >>_ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > >-- >Davanum Srinivas :: https://twitter.com/dims > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
I'd be fine with it also, not sure it will change much, but meh, worth a shot. We are all happy loving people after all, so might as well try to help others when we can :-P -Josh Davanum Srinivas wrote: +1 from me to bring castellan under Oslo governance with folks from both oslo and Barbican as reviewers without a project rename. Let's see if that helps get more adoption of castellan Thanks, Dims On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M.wrote: This thread has generated quite the discussion, so I will try to address a few points in this email, echoing a lot of what Dave said. Clint originally explained what we are trying to solve very well. The hope was that the rename would emphasize that Castellan is just a basic interface that supports operations common between key managers (the existing Barbican back end and other back ends that may exist in the future), much like oslo.db supports the common operations between PostgreSQL and MySQL. The thought was that renaming to have oslo part of the name would help reinforce that it's just an interface, rather than a standalone key manager. Right now, the only Castellan back end that would work in DevStack is Barbican. There has been talk in the past for creating other Castellan back ends (Vault or Tang), but no one has committed to writing the code for those yet. The intended proposal was to rename the project, maintain the current review team (which is only a handful of Barbican people), and bring on a few Oslo folks, if any were available and interested, to give advice about (and +2s for) OpenStack library best practices. However, perhaps pulling it under oslo's umbrella without a rename is blessing it enough. In response to Julien's proposal to make Castellan "the way you can do key management in Python" -- it would be great if Castellan were that abstract, but in practice it is pretty OpenStack-specific. Currently, the Barbican team is great at working on key management projects (including both Barbican and Castellan), but a lot of our focus now is how we can maintain and grow integration with the rest of the OpenStack projects, for which having the name and expertise of oslo would be a great help. Thanks, Kaitlin __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
+1 from me to bring castellan under Oslo governance with folks from both oslo and Barbican as reviewers without a project rename. Let's see if that helps get more adoption of castellan Thanks, Dims On Thu, Mar 16, 2017 at 12:25 PM, Farr, Kaitlin M.wrote: > This thread has generated quite the discussion, so I will try to > address a few points in this email, echoing a lot of what Dave said. > > Clint originally explained what we are trying to solve very well. The hope was > that the rename would emphasize that Castellan is just a basic > interface that supports operations common between key managers > (the existing Barbican back end and other back ends that may exist > in the future), much like oslo.db supports the common operations > between PostgreSQL and MySQL. The thought was that renaming to have > oslo part of the name would help reinforce that it's just an interface, > rather than a standalone key manager. Right now, the only Castellan > back end that would work in DevStack is Barbican. There has been talk > in the past for creating other Castellan back ends (Vault or Tang), but > no one has committed to writing the code for those yet. > > The intended proposal was to rename the project, maintain the current > review team (which is only a handful of Barbican people), and bring on > a few Oslo folks, if any were available and interested, to give advice > about (and +2s for) OpenStack library best practices. However, perhaps > pulling it under oslo's umbrella without a rename is blessing it enough. > > In response to Julien's proposal to make Castellan "the way you can do > key management in Python" -- it would be great if Castellan were that > abstract, but in practice it is pretty OpenStack-specific. Currently, > the Barbican team is great at working on key management projects > (including both Barbican and Castellan), but a lot of our focus now is > how we can maintain and grow integration with the rest of the OpenStack > projects, for which having the name and expertise of oslo would be a > great help. > > Thanks, > > Kaitlin > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
This thread has generated quite the discussion, so I will try to address a few points in this email, echoing a lot of what Dave said. Clint originally explained what we are trying to solve very well. The hope was that the rename would emphasize that Castellan is just a basic interface that supports operations common between key managers (the existing Barbican back end and other back ends that may exist in the future), much like oslo.db supports the common operations between PostgreSQL and MySQL. The thought was that renaming to have oslo part of the name would help reinforce that it's just an interface, rather than a standalone key manager. Right now, the only Castellan back end that would work in DevStack is Barbican. There has been talk in the past for creating other Castellan back ends (Vault or Tang), but no one has committed to writing the code for those yet. The intended proposal was to rename the project, maintain the current review team (which is only a handful of Barbican people), and bring on a few Oslo folks, if any were available and interested, to give advice about (and +2s for) OpenStack library best practices. However, perhaps pulling it under oslo's umbrella without a rename is blessing it enough. In response to Julien's proposal to make Castellan "the way you can do key management in Python" -- it would be great if Castellan were that abstract, but in practice it is pretty OpenStack-specific. Currently, the Barbican team is great at working on key management projects (including both Barbican and Castellan), but a lot of our focus now is how we can maintain and grow integration with the rest of the OpenStack projects, for which having the name and expertise of oslo would be a great help. Thanks, Kaitlin __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Doug Hellmann wrote: > Excerpts from Brant Knudson's message of 2017-03-15 10:27:49 -0500: >> Can the Castellan team be broken out into a new project under the big tent >> rather than having to go under oslo? Oslo as a catch-all made more sense >> before the big tent. Also, I always thought part of the deal of moving >> under oslo is that oslo core reviewers have +2 authority on the repos, but >> it doesn't look like that's part of the proposal here which was a rename >> and now is changing launchpad to make Castellan a subproject under oslo >> (along with some documentation changes). >> >> - Brant > > I assumed that bringing it into Oslo would involve adding the oslo-core > team to whatever review team Castellan already has. Yes, of course. To me the main reason to bring it under Oslo is to make it a neutral abstraction library, and position it as "the common OpenStack way to do key management". Oslo is the umbrella for common libraries in OpenStack. -- Thierry Carrez (ttx) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On 3/15/17, 6:51 AM, "Julien Danjou"wrote: >On Mon, Mar 13 2017, Clint Byrum wrote: > >> To me, Oslo is a bunch of libraries that encompass "the way OpenStack >> does ". When is key management, projects are, AFAICT, >>universally >> using Castellan at the moment. So I think it fits in Oslo >> conceptually. > >It would be cool if it could rather be "the way you can do XXX in >Python" rather than being too much OpenStack centric. :) > >> As far as what benefit there is to renaming it, the biggest one is >> divesting Castellan of the controversy around Barbican. There's no >> disagreement that explicitly handling key management is necessary. There >> is, however, still hesitance to fully adopt Barbican in that role. In >> fact I heard about some alternatives to Barbican, namely "Vault"[1] and >> "Tang"[2], that may be useful for subsets of the community, or could >> even grow into de facto standards for key management. >> >> So, given that there may be other backends, and the developers would >> like to embrace that, I see value in renaming. It would help, I think, >> Castellan's developers to be able to focus on key management and not >> have to explain to every potential user "no we're not Barbican's cousin, >> we're just an abstraction..". > >I don't think the Castellan name is a problem in itself, because at >least to me it does not sound like it's Barbican specific. I'd prefer it >to be a Python generic library that supports an OpenStack project as one >of its driver. So I'd hate to have it named oslo.foobar. > >As far as moving it under the Oslo library, I understand that the point >would be to make a point stating that this library is not a >Barbican-specific solution etc. I think it addresses the problem in the >wrongŠ but pragmatic way. > >What I think would be more interesting is to rename the _Barbican team_ >to the "People-who-work-on-keychain-stuff team". That team would build 2 >things, which are Barbican and Castellan (and maybe more later). That'd >make more sense than trying to fit everything in Oslo, and would also >help other projects to do the same thing in the future, and, maybe, one >day, alleviate the whole problem. > >Other than that, sure, we can move it to Oslo I guess. :) The Barbican community has always been the "People-who-work-on-key-management-stuff" team. We launched Castellan in 2015 with the explicit purpose of being a generic abstraction for key managers.[1] At that time, we envisioned developing a KMIP plugin to connect directly to an HSM. Currently, the interest level is higher around a plugin for software based secure storage, such as Vault. However, patches for additional plugins have not been forthcoming. Castellan was designed from the ground up to be a generic abstraction, and I, and the rest of the Barbican community, hope to see more driver development for it. If a change of name or governance helps, we're all for it. But, I hope everyone knows there is no push back from the "People-who-work-on-key-management-stuff". We welcome all contributions. In addition, we want the Castellan library to be the go-to library for any project that wants to add key management. It is already used by Nova, Cinder, Glance, Neutron, Octavia, and Magnum. If a change in name or governance helps other projects adopt Castellan, again, we're all for it. In the meantime, we encourage and stand ready to help all adopters. dave-mccowan PTL, "People-who-work-on-key-management-stuff" [1] https://wiki.openstack.org/wiki/Castellan __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On Wed, Mar 15, 2017 at 5:18 AM, Thierry Carrezwrote: > Julien Danjou wrote: > > On Tue, Mar 14 2017, Clint Byrum wrote: > > > >> +1 for just pulling it under the oslo umbrella but not renaming it. As > >> much as I like the uniformity oslo.keymanager would bring, I think it's > >> already adopted well enough we just want to make it clear that it is > >> blessed and ok to adopt. > > > > I don't even get why moving it under the Oslo umbrella is a win. > > > > What's the current problem people are trying to solve here? > > It's a governance problem. Basically if the abstraction layer is under > the control of the same group as one of the drivers, it's not really an > abstraction layer, and nobody will adopt it or develop another driver > for it. > > See Clint's first answer in the thread for a more detailed explanation. > > -- > Thierry Carrez (ttx) > > Can the Castellan team be broken out into a new project under the big tent rather than having to go under oslo? Oslo as a catch-all made more sense before the big tent. Also, I always thought part of the deal of moving under oslo is that oslo core reviewers have +2 authority on the repos, but it doesn't look like that's part of the proposal here which was a rename and now is changing launchpad to make Castellan a subproject under oslo (along with some documentation changes). - Brant __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On Mon, Mar 13 2017, Clint Byrum wrote: > To me, Oslo is a bunch of libraries that encompass "the way OpenStack > does ". When is key management, projects are, AFAICT, universally > using Castellan at the moment. So I think it fits in Oslo > conceptually. It would be cool if it could rather be "the way you can do XXX in Python" rather than being too much OpenStack centric. :) > As far as what benefit there is to renaming it, the biggest one is > divesting Castellan of the controversy around Barbican. There's no > disagreement that explicitly handling key management is necessary. There > is, however, still hesitance to fully adopt Barbican in that role. In > fact I heard about some alternatives to Barbican, namely "Vault"[1] and > "Tang"[2], that may be useful for subsets of the community, or could > even grow into de facto standards for key management. > > So, given that there may be other backends, and the developers would > like to embrace that, I see value in renaming. It would help, I think, > Castellan's developers to be able to focus on key management and not > have to explain to every potential user "no we're not Barbican's cousin, > we're just an abstraction..". I don't think the Castellan name is a problem in itself, because at least to me it does not sound like it's Barbican specific. I'd prefer it to be a Python generic library that supports an OpenStack project as one of its driver. So I'd hate to have it named oslo.foobar. As far as moving it under the Oslo library, I understand that the point would be to make a point stating that this library is not a Barbican-specific solution etc. I think it addresses the problem in the wrong… but pragmatic way. What I think would be more interesting is to rename the _Barbican team_ to the "People-who-work-on-keychain-stuff team". That team would build 2 things, which are Barbican and Castellan (and maybe more later). That'd make more sense than trying to fit everything in Oslo, and would also help other projects to do the same thing in the future, and, maybe, one day, alleviate the whole problem. Other than that, sure, we can move it to Oslo I guess. :) My 2c, -- Julien Danjou /* Free Software hacker https://julien.danjou.info */ signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On Wed, Mar 15 2017, Thierry Carrez wrote: > It's a governance problem. Basically if the abstraction layer is under > the control of the same group as one of the drivers, it's not really an > abstraction layer, and nobody will adopt it or develop another driver > for it. So we hope that by changing the governance it will change who and how people contribute to a project? That sounds far-fetched to me. -- Julien Danjou # Free Software hacker # https://julien.danjou.info signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Julien Danjou wrote: > On Tue, Mar 14 2017, Clint Byrum wrote: > >> +1 for just pulling it under the oslo umbrella but not renaming it. As >> much as I like the uniformity oslo.keymanager would bring, I think it's >> already adopted well enough we just want to make it clear that it is >> blessed and ok to adopt. > > I don't even get why moving it under the Oslo umbrella is a win. > > What's the current problem people are trying to solve here? It's a governance problem. Basically if the abstraction layer is under the control of the same group as one of the drivers, it's not really an abstraction layer, and nobody will adopt it or develop another driver for it. See Clint's first answer in the thread for a more detailed explanation. -- Thierry Carrez (ttx) signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On Tue, Mar 14 2017, Clint Byrum wrote: > +1 for just pulling it under the oslo umbrella but not renaming it. As > much as I like the uniformity oslo.keymanager would bring, I think it's > already adopted well enough we just want to make it clear that it is > blessed and ok to adopt. I don't even get why moving it under the Oslo umbrella is a win. What's the current problem people are trying to solve here? -- Julien Danjou ;; Free Software hacker ;; https://julien.danjou.info signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
On Tue, Mar 14, 2017 at 9:27 PM, Clint Byrumwrote: > Excerpts from Doug Hellmann's message of 2017-03-14 20:05:54 -0400: >> Excerpts from Doug Hellmann's message of 2017-03-14 19:20:08 -0400: >> > Excerpts from Clint Byrum's message of 2017-03-13 13:49:22 -0700: >> > > Excerpts from Doug Hellmann's message of 2017-03-13 15:12:42 -0400: >> > > > Excerpts from Farr, Kaitlin M.'s message of 2017-03-13 18:55:18 +: >> > > > > Proposed library name: Rename Castellan to oslo.keymanager >> > > > > >> > > > > Proposed library mission/motivation: Castellan's goal is to provide a >> > > > > generic key manager interface that projects can use for their key >> > > > > manager needs, e.g., storing certificates or generating keys for >> > > > > encrypting data. The interface passes the commands and Keystone >> > > > > credentials on to the configured back end. Castellan is not a service >> > > > > and does not maintain state. The library can grow to have multiple >> > > > > back ends, as long as the back end can authenticate Keystone >> > > > > credentials. The only two back end options now in Castellan are >> > > > > Barbican and a limited mock key manager useful only for unit tests. >> > > > > If someone wrote a Keystone auth plugin for Vault, we could also >> > > > > have a >> > > > > Vault back end for Castellan. >> > > > > >> > > > > The benefit of using Castellan versus using Barbican directly >> > > > > is Castellan allows the option of swapping out for other key >> > > > > managers, >> > > > > mainly for testing. If projects want their own custom back end for >> > > > > Castellan, they can write a back end that implements the Castellan >> > > > > interface but lives in their own code base, i.e., ConfKeyManager in >> > > > > Nova and Cinder. Additionally, Castellan already has oslo.config >> > > > > options defined which are helpful for configuring the project to talk >> > > > > to Barbican. >> > > > > >> > > > > When the Barbican team first created the Castellan library, we had >> > > > > reached out to oslo to see if we could name it oslo.keymanager, but >> > > > > the >> > > > > idea was not accepted because the library didn't have enough >> > > > > traction. >> > > > > Now, Castellan is used in many projects, and we thought we would >> > > > > suggest renaming again. At the PTG, the Barbican team met with the >> > > > > AWG >> > > > > to discuss how we could get Barbican integrated with more projects, >> > > > > and >> > > > > the rename was also suggested at that meeting. Other projects are >> > > > > interested in creating encryption features, and a rename will help >> > > > > clarify the difference between Barbican and Castellan. >> > > > >> > > > Can you expand on why you think that is so? I'm not disagreeing with >> > > > the >> > > > statement, but it's not obviously true to me, either. I vaguely >> > > > remember >> > > > having it explained at the PTG, but I don't remember the details. >> > > > >> > > >> > > To me, Oslo is a bunch of libraries that encompass "the way OpenStack >> > > does ". When is key management, projects are, AFAICT, >> > > universally >> > > using Castellan at the moment. So I think it fits in Oslo conceptually. >> > > >> > > As far as what benefit there is to renaming it, the biggest one is >> > > divesting Castellan of the controversy around Barbican. There's no >> > > disagreement that explicitly handling key management is necessary. There >> > > is, however, still hesitance to fully adopt Barbican in that role. In >> > > fact I heard about some alternatives to Barbican, namely "Vault"[1] and >> > > "Tang"[2], that may be useful for subsets of the community, or could >> > > even grow into de facto standards for key management. >> > > >> > > So, given that there may be other backends, and the developers would >> > > like to embrace that, I see value in renaming. It would help, I think, >> > > Castellan's developers to be able to focus on key management and not >> > > have to explain to every potential user "no we're not Barbican's cousin, >> > > we're just an abstraction..". >> > > >> > > > > Existing similar libraries (if any) and why they aren't being used: >> > > > > N/A >> > > > > >> > > > > Reviewer activity: Barbican team >> > > > >> > > > If the review team is going to be largely the same, I'm not sure I >> > > > see the benefit of changing the ownership of the library. We certainly >> > > > have other examples of Oslo libraries being managed mainly by >> > > > sub-teams made up of folks who primarily focus on other projects. >> > > > oslo.policy and oslo.versionedobjects come to mind, but in both of >> > > > those cases the code was incubated in Oslo or brought into Oslo >> > > > before the tools for managing shared libraries were widely used >> > > > outside of the Oslo team. We now have quite a few examples of project >> > > > teams managing shared libraries (other than their clients). >> > > > >> > > >> > > While this
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Excerpts from Doug Hellmann's message of 2017-03-14 20:05:54 -0400: > Excerpts from Doug Hellmann's message of 2017-03-14 19:20:08 -0400: > > Excerpts from Clint Byrum's message of 2017-03-13 13:49:22 -0700: > > > Excerpts from Doug Hellmann's message of 2017-03-13 15:12:42 -0400: > > > > Excerpts from Farr, Kaitlin M.'s message of 2017-03-13 18:55:18 +: > > > > > Proposed library name: Rename Castellan to oslo.keymanager > > > > > > > > > > Proposed library mission/motivation: Castellan's goal is to provide a > > > > > generic key manager interface that projects can use for their key > > > > > manager needs, e.g., storing certificates or generating keys for > > > > > encrypting data. The interface passes the commands and Keystone > > > > > credentials on to the configured back end. Castellan is not a service > > > > > and does not maintain state. The library can grow to have multiple > > > > > back ends, as long as the back end can authenticate Keystone > > > > > credentials. The only two back end options now in Castellan are > > > > > Barbican and a limited mock key manager useful only for unit tests. > > > > > If someone wrote a Keystone auth plugin for Vault, we could also have > > > > > a > > > > > Vault back end for Castellan. > > > > > > > > > > The benefit of using Castellan versus using Barbican directly > > > > > is Castellan allows the option of swapping out for other key managers, > > > > > mainly for testing. If projects want their own custom back end for > > > > > Castellan, they can write a back end that implements the Castellan > > > > > interface but lives in their own code base, i.e., ConfKeyManager in > > > > > Nova and Cinder. Additionally, Castellan already has oslo.config > > > > > options defined which are helpful for configuring the project to talk > > > > > to Barbican. > > > > > > > > > > When the Barbican team first created the Castellan library, we had > > > > > reached out to oslo to see if we could name it oslo.keymanager, but > > > > > the > > > > > idea was not accepted because the library didn't have enough traction. > > > > > Now, Castellan is used in many projects, and we thought we would > > > > > suggest renaming again. At the PTG, the Barbican team met with the > > > > > AWG > > > > > to discuss how we could get Barbican integrated with more projects, > > > > > and > > > > > the rename was also suggested at that meeting. Other projects are > > > > > interested in creating encryption features, and a rename will help > > > > > clarify the difference between Barbican and Castellan. > > > > > > > > Can you expand on why you think that is so? I'm not disagreeing with the > > > > statement, but it's not obviously true to me, either. I vaguely remember > > > > having it explained at the PTG, but I don't remember the details. > > > > > > > > > > To me, Oslo is a bunch of libraries that encompass "the way OpenStack > > > does ". When is key management, projects are, AFAICT, universally > > > using Castellan at the moment. So I think it fits in Oslo conceptually. > > > > > > As far as what benefit there is to renaming it, the biggest one is > > > divesting Castellan of the controversy around Barbican. There's no > > > disagreement that explicitly handling key management is necessary. There > > > is, however, still hesitance to fully adopt Barbican in that role. In > > > fact I heard about some alternatives to Barbican, namely "Vault"[1] and > > > "Tang"[2], that may be useful for subsets of the community, or could > > > even grow into de facto standards for key management. > > > > > > So, given that there may be other backends, and the developers would > > > like to embrace that, I see value in renaming. It would help, I think, > > > Castellan's developers to be able to focus on key management and not > > > have to explain to every potential user "no we're not Barbican's cousin, > > > we're just an abstraction..". > > > > > > > > Existing similar libraries (if any) and why they aren't being used: > > > > > N/A > > > > > > > > > > Reviewer activity: Barbican team > > > > > > > > If the review team is going to be largely the same, I'm not sure I > > > > see the benefit of changing the ownership of the library. We certainly > > > > have other examples of Oslo libraries being managed mainly by > > > > sub-teams made up of folks who primarily focus on other projects. > > > > oslo.policy and oslo.versionedobjects come to mind, but in both of > > > > those cases the code was incubated in Oslo or brought into Oslo > > > > before the tools for managing shared libraries were widely used > > > > outside of the Oslo team. We now have quite a few examples of project > > > > teams managing shared libraries (other than their clients). > > > > > > > > > > While this makes sense, I'm not so sure any of those are actually > > > specifically in the same category as Castellan. Perhaps you can expand > > > on which libraries have done this, and how they're
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Excerpts from Doug Hellmann's message of 2017-03-14 19:20:08 -0400: > Excerpts from Clint Byrum's message of 2017-03-13 13:49:22 -0700: > > Excerpts from Doug Hellmann's message of 2017-03-13 15:12:42 -0400: > > > Excerpts from Farr, Kaitlin M.'s message of 2017-03-13 18:55:18 +: > > > > Proposed library name: Rename Castellan to oslo.keymanager > > > > > > > > Proposed library mission/motivation: Castellan's goal is to provide a > > > > generic key manager interface that projects can use for their key > > > > manager needs, e.g., storing certificates or generating keys for > > > > encrypting data. The interface passes the commands and Keystone > > > > credentials on to the configured back end. Castellan is not a service > > > > and does not maintain state. The library can grow to have multiple > > > > back ends, as long as the back end can authenticate Keystone > > > > credentials. The only two back end options now in Castellan are > > > > Barbican and a limited mock key manager useful only for unit tests. > > > > If someone wrote a Keystone auth plugin for Vault, we could also have a > > > > Vault back end for Castellan. > > > > > > > > The benefit of using Castellan versus using Barbican directly > > > > is Castellan allows the option of swapping out for other key managers, > > > > mainly for testing. If projects want their own custom back end for > > > > Castellan, they can write a back end that implements the Castellan > > > > interface but lives in their own code base, i.e., ConfKeyManager in > > > > Nova and Cinder. Additionally, Castellan already has oslo.config > > > > options defined which are helpful for configuring the project to talk > > > > to Barbican. > > > > > > > > When the Barbican team first created the Castellan library, we had > > > > reached out to oslo to see if we could name it oslo.keymanager, but the > > > > idea was not accepted because the library didn't have enough traction. > > > > Now, Castellan is used in many projects, and we thought we would > > > > suggest renaming again. At the PTG, the Barbican team met with the AWG > > > > to discuss how we could get Barbican integrated with more projects, and > > > > the rename was also suggested at that meeting. Other projects are > > > > interested in creating encryption features, and a rename will help > > > > clarify the difference between Barbican and Castellan. > > > > > > Can you expand on why you think that is so? I'm not disagreeing with the > > > statement, but it's not obviously true to me, either. I vaguely remember > > > having it explained at the PTG, but I don't remember the details. > > > > > > > To me, Oslo is a bunch of libraries that encompass "the way OpenStack > > does ". When is key management, projects are, AFAICT, universally > > using Castellan at the moment. So I think it fits in Oslo conceptually. > > > > As far as what benefit there is to renaming it, the biggest one is > > divesting Castellan of the controversy around Barbican. There's no > > disagreement that explicitly handling key management is necessary. There > > is, however, still hesitance to fully adopt Barbican in that role. In > > fact I heard about some alternatives to Barbican, namely "Vault"[1] and > > "Tang"[2], that may be useful for subsets of the community, or could > > even grow into de facto standards for key management. > > > > So, given that there may be other backends, and the developers would > > like to embrace that, I see value in renaming. It would help, I think, > > Castellan's developers to be able to focus on key management and not > > have to explain to every potential user "no we're not Barbican's cousin, > > we're just an abstraction..". > > > > > > Existing similar libraries (if any) and why they aren't being used: N/A > > > > > > > > Reviewer activity: Barbican team > > > > > > If the review team is going to be largely the same, I'm not sure I > > > see the benefit of changing the ownership of the library. We certainly > > > have other examples of Oslo libraries being managed mainly by > > > sub-teams made up of folks who primarily focus on other projects. > > > oslo.policy and oslo.versionedobjects come to mind, but in both of > > > those cases the code was incubated in Oslo or brought into Oslo > > > before the tools for managing shared libraries were widely used > > > outside of the Oslo team. We now have quite a few examples of project > > > teams managing shared libraries (other than their clients). > > > > > > > While this makes sense, I'm not so sure any of those are actually > > specifically in the same category as Castellan. Perhaps you can expand > > on which libraries have done this, and how they're similar to Castellan? > > oslo.versionedobjects was extracted from nova, and came with a small > set of contributors who have made up a subteam of Oslo. As far as > I know, they rarely contribute outside of that library (I haven't > checked lately, so apologies if my info is out of
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Clint Byrum wrote: > Excerpts from Doug Hellmann's message of 2017-03-13 15:12:42 -0400: >> Excerpts from Farr, Kaitlin M.'s message of 2017-03-13 18:55:18 +: >>> When the Barbican team first created the Castellan library, we had >>> reached out to oslo to see if we could name it oslo.keymanager, but the >>> idea was not accepted because the library didn't have enough traction. >>> Now, Castellan is used in many projects, and we thought we would >>> suggest renaming again. At the PTG, the Barbican team met with the AWG >>> to discuss how we could get Barbican integrated with more projects, and >>> the rename was also suggested at that meeting. Other projects are >>> interested in creating encryption features, and a rename will help >>> clarify the difference between Barbican and Castellan. >> >> Can you expand on why you think that is so? I'm not disagreeing with the >> statement, but it's not obviously true to me, either. I vaguely remember >> having it explained at the PTG, but I don't remember the details. > > To me, Oslo is a bunch of libraries that encompass "the way OpenStack > does ". When is key management, projects are, AFAICT, universally > using Castellan at the moment. So I think it fits in Oslo conceptually. > > As far as what benefit there is to renaming it, the biggest one is > divesting Castellan of the controversy around Barbican. There's no > disagreement that explicitly handling key management is necessary. There > is, however, still hesitance to fully adopt Barbican in that role. In > fact I heard about some alternatives to Barbican, namely "Vault"[1] and > "Tang"[2], that may be useful for subsets of the community, or could > even grow into de facto standards for key management. > > So, given that there may be other backends, and the developers would > like to embrace that, I see value in renaming. It would help, I think, > Castellan's developers to be able to focus on key management and not > have to explain to every potential user "no we're not Barbican's cousin, > we're just an abstraction..". Well put. Long-term, it will also help drive Barbican on the "base services" track (an oslo.db-compatible database, an oslo.messaging-compatible queue, an oslo.keymanager-compatible key manager...) >>> Existing similar libraries (if any) and why they aren't being used: N/A >>> >>> Reviewer activity: Barbican team >> >> If the review team is going to be largely the same, I'm not sure I >> see the benefit of changing the ownership of the library. We certainly >> have other examples of Oslo libraries being managed mainly by >> sub-teams made up of folks who primarily focus on other projects. >> oslo.policy and oslo.versionedobjects come to mind, but in both of >> those cases the code was incubated in Oslo or brought into Oslo >> before the tools for managing shared libraries were widely used >> outside of the Oslo team. We now have quite a few examples of project >> teams managing shared libraries (other than their clients). While it may be originally seeded by the same people, I think the two groups may diverge in the future, especially if support for other key managers is added. -- Thierry Carrez (ttx) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Excerpts from Doug Hellmann's message of 2017-03-13 15:12:42 -0400: > Excerpts from Farr, Kaitlin M.'s message of 2017-03-13 18:55:18 +: > > Proposed library name: Rename Castellan to oslo.keymanager > > > > Proposed library mission/motivation: Castellan's goal is to provide a > > generic key manager interface that projects can use for their key > > manager needs, e.g., storing certificates or generating keys for > > encrypting data. The interface passes the commands and Keystone > > credentials on to the configured back end. Castellan is not a service > > and does not maintain state. The library can grow to have multiple > > back ends, as long as the back end can authenticate Keystone > > credentials. The only two back end options now in Castellan are > > Barbican and a limited mock key manager useful only for unit tests. > > If someone wrote a Keystone auth plugin for Vault, we could also have a > > Vault back end for Castellan. > > > > The benefit of using Castellan versus using Barbican directly > > is Castellan allows the option of swapping out for other key managers, > > mainly for testing. If projects want their own custom back end for > > Castellan, they can write a back end that implements the Castellan > > interface but lives in their own code base, i.e., ConfKeyManager in > > Nova and Cinder. Additionally, Castellan already has oslo.config > > options defined which are helpful for configuring the project to talk > > to Barbican. > > > > When the Barbican team first created the Castellan library, we had > > reached out to oslo to see if we could name it oslo.keymanager, but the > > idea was not accepted because the library didn't have enough traction. > > Now, Castellan is used in many projects, and we thought we would > > suggest renaming again. At the PTG, the Barbican team met with the AWG > > to discuss how we could get Barbican integrated with more projects, and > > the rename was also suggested at that meeting. Other projects are > > interested in creating encryption features, and a rename will help > > clarify the difference between Barbican and Castellan. > > Can you expand on why you think that is so? I'm not disagreeing with the > statement, but it's not obviously true to me, either. I vaguely remember > having it explained at the PTG, but I don't remember the details. > To me, Oslo is a bunch of libraries that encompass "the way OpenStack does ". When is key management, projects are, AFAICT, universally using Castellan at the moment. So I think it fits in Oslo conceptually. As far as what benefit there is to renaming it, the biggest one is divesting Castellan of the controversy around Barbican. There's no disagreement that explicitly handling key management is necessary. There is, however, still hesitance to fully adopt Barbican in that role. In fact I heard about some alternatives to Barbican, namely "Vault"[1] and "Tang"[2], that may be useful for subsets of the community, or could even grow into de facto standards for key management. So, given that there may be other backends, and the developers would like to embrace that, I see value in renaming. It would help, I think, Castellan's developers to be able to focus on key management and not have to explain to every potential user "no we're not Barbican's cousin, we're just an abstraction..". > > Existing similar libraries (if any) and why they aren't being used: N/A > > > > Reviewer activity: Barbican team > > If the review team is going to be largely the same, I'm not sure I > see the benefit of changing the ownership of the library. We certainly > have other examples of Oslo libraries being managed mainly by > sub-teams made up of folks who primarily focus on other projects. > oslo.policy and oslo.versionedobjects come to mind, but in both of > those cases the code was incubated in Oslo or brought into Oslo > before the tools for managing shared libraries were widely used > outside of the Oslo team. We now have quite a few examples of project > teams managing shared libraries (other than their clients). > While this makes sense, I'm not so sure any of those are actually specifically in the same category as Castellan. Perhaps you can expand on which libraries have done this, and how they're similar to Castellan? [1] https://www.vaultproject.io/ [2] https://github.com/latchset/tang __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Kaitlin, On Mon, Mar 13, 2017 at 2:55 PM, Farr, Kaitlin M.wrote: > Proposed library name: Rename Castellan to oslo.keymanager > > > > Proposed library mission/motivation: Castellan’s goal is to provide a > > generic key manager interface that projects can use for their key > > manager needs, e.g., storing certificates or generating keys for > > encrypting data. The interface passes the commands and Keystone > > credentials on to the configured back end. Castellan is not a service > > and does not maintain state. The library can grow to have multiple > > back ends, as long as the back end can authenticate Keystone > > credentials. The only two back end options now in Castellan are > > Barbican and a limited mock key manager useful only for unit tests. > > If someone wrote a Keystone auth plugin for Vault, we could also have a > > Vault back end for Castellan. > > > > The benefit of using Castellan versus using Barbican directly > > is Castellan allows the option of swapping out for other key managers, > > mainly for testing. If projects want their own custom back end for > > Castellan, they can write a back end that implements the Castellan > > interface but lives in their own code base, i.e., ConfKeyManager in > > Nova and Cinder. Additionally, Castellan already has oslo.config > > options defined which are helpful for configuring the project to talk > > to Barbican. > > > > When the Barbican team first created the Castellan library, we had > > reached out to oslo to see if we could name it oslo.keymanager, but the > > idea was not accepted because the library didn’t have enough traction. > > Now, Castellan is used in many projects, and we thought we would > > suggest renaming again. At the PTG, the Barbican team met with the AWG > > to discuss how we could get Barbican integrated with more projects, and > > the rename was also suggested at that meeting. Other projects are > > interested in creating encryption features, and a rename will help > > clarify the difference between Barbican and Castellan. > > > > Existing similar libraries (if any) and why they aren't being used: N/A > > > > Reviewer activity: Barbican team > > > > Who is going to use this (project involvement): Cinder, Nova, Sahara, > > and Glance already use Castellan, Swift has a patch that integrates > > Castellan. > > > > Proposed adoption model/plan: The Castellan library was already created > > and produces a functional and useful artifact (a pypi release) and is > > integrated into various OpenStack projects and now it is proposed that > > the library be moved into the Oslo group's namespace by creating a fork > > of Castellan, clean up a few things, create a new oslo.keymanager > > release on pypi, and change the projects to use oslo.keymanager. > Is the idea that the name change (oslo) will help drive the adoption? Also, Is the a default backend for say devstack going to be barbican? Is there a plan to do something else (say a vault based backend) for very simple scenarios? > > Thanks, > > > > Kaitlin Farr > > Software Engineer > > The Johns Hopkins University Applied Physics Laboratory > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][barbican][castellan] Proposal to rename Castellan to oslo.keymanager
Excerpts from Farr, Kaitlin M.'s message of 2017-03-13 18:55:18 +: > Proposed library name: Rename Castellan to oslo.keymanager > > Proposed library mission/motivation: Castellan's goal is to provide a > generic key manager interface that projects can use for their key > manager needs, e.g., storing certificates or generating keys for > encrypting data. The interface passes the commands and Keystone > credentials on to the configured back end. Castellan is not a service > and does not maintain state. The library can grow to have multiple > back ends, as long as the back end can authenticate Keystone > credentials. The only two back end options now in Castellan are > Barbican and a limited mock key manager useful only for unit tests. > If someone wrote a Keystone auth plugin for Vault, we could also have a > Vault back end for Castellan. > > The benefit of using Castellan versus using Barbican directly > is Castellan allows the option of swapping out for other key managers, > mainly for testing. If projects want their own custom back end for > Castellan, they can write a back end that implements the Castellan > interface but lives in their own code base, i.e., ConfKeyManager in > Nova and Cinder. Additionally, Castellan already has oslo.config > options defined which are helpful for configuring the project to talk > to Barbican. > > When the Barbican team first created the Castellan library, we had > reached out to oslo to see if we could name it oslo.keymanager, but the > idea was not accepted because the library didn't have enough traction. > Now, Castellan is used in many projects, and we thought we would > suggest renaming again. At the PTG, the Barbican team met with the AWG > to discuss how we could get Barbican integrated with more projects, and > the rename was also suggested at that meeting. Other projects are > interested in creating encryption features, and a rename will help > clarify the difference between Barbican and Castellan. Can you expand on why you think that is so? I'm not disagreeing with the statement, but it's not obviously true to me, either. I vaguely remember having it explained at the PTG, but I don't remember the details. > Existing similar libraries (if any) and why they aren't being used: N/A > > Reviewer activity: Barbican team If the review team is going to be largely the same, I'm not sure I see the benefit of changing the ownership of the library. We certainly have other examples of Oslo libraries being managed mainly by sub-teams made up of folks who primarily focus on other projects. oslo.policy and oslo.versionedobjects come to mind, but in both of those cases the code was incubated in Oslo or brought into Oslo before the tools for managing shared libraries were widely used outside of the Oslo team. We now have quite a few examples of project teams managing shared libraries (other than their clients). > Who is going to use this (project involvement): Cinder, Nova, Sahara, > and Glance already use Castellan, Swift has a patch that integrates > Castellan. > > Proposed adoption model/plan: The Castellan library was already created > and produces a functional and useful artifact (a pypi release) and is > integrated into various OpenStack projects and now it is proposed that > the library be moved into the Oslo group's namespace by creating a fork > of Castellan, clean up a few things, create a new oslo.keymanager > release on pypi, and change the projects to use oslo.keymanager. > > Thanks, > > Kaitlin Farr > Software Engineer > The Johns Hopkins University Applied Physics Laboratory __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev