Implement a barbican functional equivalent certificate store
Etherpad: https:/
Implementing a functional equivalent replacement of Baribican for storing TLS certificates needed by Magnum's COEs. This feature adds an option for cloud operators who have a good reason not to use Barbican, instead they may use Magnum DB.
The credential contents are stored in plain text in the Magnum DB, so we will use an encryption key per bay, encrypt the certificate and store it in Magnum DB. We use the key to decrypt it upon reading the cert back from Magnum DB. Add library functions to encrypt and decrypt the data, and (perhaps in a subsequent iteration) allow a choice of encryption algorithms used by those library functions.
Blueprint information
- Status:
- Complete
- Approver:
- hongbin
- Priority:
- High
- Drafter:
- Adrian Otto
- Direction:
- Approved
- Assignee:
- Madhuri Kumari
- Definition:
- New
- Series goal:
- Accepted for newton
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Madhuri Kumari
- Completed by
- Madhuri Kumari
Related branches
Related bugs
Sprints
Whiteboard
Be sure to include comments in the configuration file that advise administrators to only use this option if they are unable to add Barbican to their clouds, as this approach is less secure.
kfox1111 - I think this is a huge abuse of the keystone api. I don't believe it was intended for that purpose. It could be forced to work that way, but I think the keystone developers would object. please talk to them directly before continuing with this plan.
cloudnull - I concur that this is an abuse of the Keystone API and should _NOT_ be done. Per the blueprint description does this project really want to support and test older OpenStack Deployments (Folsom, Grizzly, Havana, etc...)? That would seem like a huge developer burden and waist of resources. Additionally, as a deployer and developer I fail to see why Magnum would need to go down the route of creating a "barbican functional equivalent certificate store" when we already have the barbican project which is maturing nicely and works in production; this all seems very NIH.
hongbin - All, the team is discussing this BP. We are using an etherpad to collecting feedback. It would be great if you can forward your inputs there: https:/
UPDATE: Changed drafter to Adrian Otto since he drafted this BP. Changed direction to Needs approval. Sorry. I won't approve this BP until we get agreement from the general OpenStack community (Keystone team in particular).
UPDATE2: In the last Magnum team meeting [1], we all agreed to store TLS certificates in Magnum DB as a short term solution.
[1] http://
Gerrit topic: https:/
Addressed by: https:/
[WIP]
Addressed by: https:/
Add x509keypair_