Hi, I believe that Barbican keystore for signing keys was discussed earlier. I'm not sure if that's best idea since Barbican relies on Keystone authN/authZ. That's why this mechanism should be considered rather as "out of band" to Keystone/OS API and is rather devops task.
regards, Adam On Wed, Aug 5, 2015 at 8:11 AM, joehuang <joehu...@huawei.com> wrote: > Hi, Lance, > > > > May we store the keys in Barbican, can the key rotation be done upon > Barbican? And if we use Barican as the repository, then it’s easier for Key > distribution and rotation in multiple KeyStone deployment scenario, the > database replication (sync. or async.) capability could be leveraged. > > > > Best Regards > > Chaoyi Huang ( Joe Huang ) > > > > *From:* Lance Bragstad [mailto:lbrags...@gmail.com] > *Sent:* Tuesday, August 04, 2015 10:56 PM > *To:* OpenStack Development Mailing List (not for usage questions) > *Subject:* Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for > Fernet keys > > > > > > On Tue, Aug 4, 2015 at 9:28 AM, Boris Bobrov <bbob...@mirantis.com> wrote: > > On Tuesday 04 August 2015 08:06:21 Lance Bragstad wrote: > > On Tue, Aug 4, 2015 at 1:37 AM, Boris Bobrov <bbob...@mirantis.com> > wrote: > > > On Monday 03 August 2015 21:05:00 David Stanek wrote: > > > > On Sat, Aug 1, 2015 at 8:03 PM, Boris Bobrov <bbob...@mirantis.com> > > > > > > wrote: > > > > > > Also, come on, does http://paste.openstack.org/show/406674/ look > > > > > overly > > > > > complex? (it should be launched from Fuel master node). > > > > > > > > I'm reading this on a small phone, so I may have it wrong, but the > > > > script > > > > > > > > appears to be broken. > > > > > > > > > > > > > > > > It will ssh to node-1 and rotate. In the simplest case this takes key > > > > 0 > > > > > > and > > > > > > > moves it to the next highest key number. Then a new key 0 is > > > > generated. > > > > > > > > > > > > > > > > Later there is a loop that will again ssh into node-1 and run the > > > > > > rotation > > > > > > > script. If there is a limit set on the number of keys and you are at > > > > that > > > > > > > > limit a key will be deleted. This extra rotation on node-1 means that > > > > > > it's > > > > > > > possible that it has a different set of keys than are on node-2 and > > > > > > node-3. > > > > > > > > > > > > You are absolutely right. Node-1 should be excluded from the loop. > > > > > > > > > > > > pinc also lacks "-c 1". > > > > > > > > > > > > I am sure that other issues can be found. > > > > > > > > > > > > In my excuse I want to say that I never ran the script and wrote it > just > > > to show how simple it should be. Thank for review though! > > > > > > > > > > > > I also hope that no one is going to use a script from a mailing list. > > > > > > > What's the issue with just a simple rsync of the directory? > > > > > > None I think. I just want to reuse the interface provided by > > > keystone-manage. > > > > You wanted to use the interface from keystone-manage to handle the actual > > promotion of the staged key, right? This is why there were two > > fernet_rotate commands issued? > > Right. Here is the fixed version (please don't use it anyway): > http://paste.openstack.org/show/406862/ > > > > Note, this doesn't take into account the initial key repository creation, > does it? > > > > Here is a similar version that relies on rsync for the distribution after > the initial key rotation [0]. > > > > [0] http://cdn.pasteraw.com/d6odnvtt1u9zsw5mg4xetzgufy1mjua > > > > > > -- > Best regards, > Boris Bobrov > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Adam Heczko Security Engineer @ Mirantis Inc.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
