On 08/21/2013 11:44 AM, Jarret Raim wrote:
Dolph Mathews wrote:
With regard
to:
https://blueprints.launchpad.net/keystone/+spec/key-distribution-server
[...]
Dolph: you don't mention Barbican at all, does that mean that the issue
is settled and the KDS should live in keystone ?
Dolph and I talked about having a design session to talk about how
Barbican and Keystone will work together going forward. In this particular
case, as I understand it, Simo is right. There isn't much need for
Barbican to be involved in the PKI key signing (except maybe for key
storage at some point, but that wouldn't' require a lot of changes if we
did that).
KDS keys are not signed. They are symmetric.
We are writing the KDS code sa a stand alone extension, such that if we
change our mind about where it lives, we can migrate it without too much
disruption. However, I am pretty certain that it belongs in Keystone.
THis is confirmation of identity for services, and it probably will
interoperate with the service catalog over time. Keystone doesn't have a
concept of a Service Principal the way that Kerberos does, but the KDS
code really introduces that concept, and I think it will be important
for more complex authorization rules in the future.
Once the sessions are opened for Hong Kong, we'll put in for the design
session.
Jarret
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
