Implement a barbican functional equivalent certificate store

Registered by hongbin on 2016-03-17

Etherpad: https://etherpad.openstack.org/p/magnum-barbican-alternative

Implementing a functional equivalent replacement of Baribican for storing TLS certificates needed by Magnum's COEs. This feature adds an option for cloud operators who have a good reason not to use Barbican, instead they may use Magnum DB.

The credential contents are stored in plain text in the Magnum DB, so we will use an encryption key per bay, encrypt the certificate and store it in Magnum DB. We use the key to decrypt it upon reading the cert back from Magnum DB. Add library functions to encrypt and decrypt the data, and (perhaps in a subsequent iteration) allow a choice of encryption algorithms used by those library functions.

Blueprint information

Status:
Complete
Approver:
hongbin
Priority:
High
Drafter:
Adrian Otto
Direction:
Approved
Assignee:
Madhuri Kumari
Definition:
New
Series goal:
Accepted for newton
Implementation:
Implemented
Milestone target:
None
Started by
Madhuri Kumari on 2016-06-27
Completed by
Madhuri Kumari on 2016-06-27

Related branches

Sprints

Whiteboard

Be sure to include comments in the configuration file that advise administrators to only use this option if they are unable to add Barbican to their clouds, as this approach is less secure.

kfox1111 - I think this is a huge abuse of the keystone api. I don't believe it was intended for that purpose. It could be forced to work that way, but I think the keystone developers would object. please talk to them directly before continuing with this plan.

cloudnull - I concur that this is an abuse of the Keystone API and should _NOT_ be done. Per the blueprint description does this project really want to support and test older OpenStack Deployments (Folsom, Grizzly, Havana, etc...)? That would seem like a huge developer burden and waist of resources. Additionally, as a deployer and developer I fail to see why Magnum would need to go down the route of creating a "barbican functional equivalent certificate store" when we already have the barbican project which is maturing nicely and works in production; this all seems very NIH.

hongbin - All, the team is discussing this BP. We are using an etherpad to collecting feedback. It would be great if you can forward your inputs there: https://etherpad.openstack.org/p/magnum-barbican-alternative

UPDATE: Changed drafter to Adrian Otto since he drafted this BP. Changed direction to Needs approval. Sorry. I won't approve this BP until we get agreement from the general OpenStack community (Keystone team in particular).

UPDATE2: In the last Magnum team meeting [1], we all agreed to store TLS certificates in Magnum DB as a short term solution.

[1] http://eavesdrop.openstack.org/meetings/containers/2016/containers.2016-04-19-16.00.txt

Gerrit topic: https://review.openstack.org/#q,topic:bp/barbican-alternative-store,n,z

Addressed by: https://review.openstack.org/322009
    [WIP]X509keypair cleanup
Addressed by: https://review.openstack.org/#/c/323143/
    Add x509keypair_cert_manager to store certs in DB

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.