On Tue, Apr 12, 2016 at 3:27 PM, Lance Bragstad <lbrags...@gmail.com> wrote:
> Keystone's credential API pre-dates barbican. We started talking about > having the credential API back to barbican after it was a thing. I'm not > sure if any work has been done to move the credential API in this > direction. From a security perspective, I think it would make sense for > keystone to back to barbican. > +1 And regarding the "inappropriate use of keystone," I'd agree... without this spec, keystone is entirely useless as any sort of alternative to Barbican: https://review.openstack.org/#/c/284950/ I suspect Barbican will forever be a much more mature choice for Magnum. > > On Tue, Apr 12, 2016 at 2:43 PM, Hongbin Lu <hongbin...@huawei.com> wrote: > >> Hi all, >> >> >> >> In short, some Magnum team members proposed to store TLS certificates in >> Keystone credential store. As Magnum PTL, I want to get agreements (or >> non-disagreement) from OpenStack community in general, Keystone community >> in particular, before approving the direction. >> >> >> >> In details, Magnum leverages TLS to secure the API endpoint of >> kubernetes/docker swarm. The usage of TLS requires a secure store for >> storing TLS certificates. Currently, we leverage Barbican for this purpose, >> but we constantly received requests to decouple Magnum from Barbican >> (because users normally don’t have Barbican installed in their clouds). >> Some Magnum team members proposed to leverage Keystone credential store as >> a Barbican alternative [1]. Therefore, I want to confirm what is Keystone >> team position for this proposal (I remembered someone from Keystone >> mentioned this is an inappropriate use of Keystone. Would I ask for further >> clarification?). Thanks in advance. >> >> >> >> [1] >> https://blueprints.launchpad.net/magnum/+spec/barbican-alternative-store >> >> >> >> Best regards, >> >> Hongbin >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
