On Tue, Sep 3, 2013 at 7:27 PM, Bryan D. Payne <bdpa...@acm.org> wrote:
> > > How can someone use your code without a key manager?**** >>> >>> Some key management mechanism is required although it could be >>> simplistic. For example, we’ve tested our code internally with an >>> implementation of the key manager interface that returns a single, constant >>> key. >>> >> That works for testing but doesn't address: "the current dearth of key >> management within OpenStack does not preclude the use of our existing work >> within a production environment" >> > > My understanding here is that users are free to use any key management > mechanism that they see fit. This can be a simple "return a static key" > option. Or it could be using something more feature rich like Barbican. > Or it could be something completely home grown that is suited to a > particular OpenStack deployment. > > I don't understand why we are getting hung up on having a key manager as > part of OpenStack in order to accept this work. Clearly there are other > pieces of OpenStack that have external dependencies (message queues, to > name one). > > I, for one, am looking forward to using this feature and would be very > disappointed to see it pushed back for yet another release. > > > >> Is a feature complete if no one can use it? >> >> I am happy with a less then secure but fully functional key manager. But >> with no key manager that can be used in a real deployment, what is the >> value of including this code? >> > > Of course people can use it. They just need to integrate with some > solution of the deployment's choosing that provides key management > capabilities. And, of course, if you choose to not use the volume > encryption then you don't need to worry about it at all. > > I've watched this feature go through many, many iterations throughout both > the Grizzly and Havana release cycles. The authors have been working hard > to address everyone's concerns. In fact, they have navigated quite a > gauntlet to get this far. And what they have now is an excellent, working > solution. Let's accept this nice security enhancement and move forward. > > Cheers, > -bryan > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > Do you have any docs or guides describing a reference implementation that would be able to use this in the manner you describe?
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
