> -----Original Message----- > From: Adrian Otto [mailto:adrian.o...@rackspace.com] > Sent: 01 September 2015 07:03 > To: OpenStack Development Mailing List (not for usage questions) > <openstack-dev@lists.openstack.org> > Subject: Re: [openstack-dev] [magnum] Difference between certs stored in > keystone and certs stored in barbican > > Simply put, Keystone is designed to generate tokens that are to be used for > authentication and RBAC. Systems like Kunernetes do not support Keystone > auth, but do support TLS. Using TLS provides a solution that is compatible > with using these systems outside of an OpenStack cloud. > > Barbican is designed for secure storage of arbitrary secrets, and currently > also has a CA function. The reason that is compelling is that you can have > Barbican generate, sign, and store a keypair without transmitting the private > key over the network to the client that originates the signing request. It can > be directly stored, and made available only to the clients that need access to > it. >
Will it also be possible to use a different CA ? In some environments, there is already a corporate certificate authority server. This would ensure compliance with site security standards. Tim > We are taking an iterative approach to TLS integration, so we can gradually > take advantage of both keystone and Barbican features as they allow us to > iterate toward a more secure integration. > > Adrian > > > On Aug 31, 2015, at 9:05 PM, Vikas Choudhary > <choudharyvika...@gmail.com> wrote: > > > > Hi, > > > > Can anybody please point me out some etherpad discussion page/spec > that can help me understand why we are going to introduce barbican for > magnum when we already had keystone for security management? > > > > > > > > > > -Vikas Choudhary > > > > > > > ________________________________________________________________ > ______ > > ____ OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ________________________________________________________________ > __________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev- > requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
