On Tue, Mar 14, 2017 at 6:17 PM, Clint Byrum <cl...@fewbar.com> wrote: > Excerpts from Davanum Srinivas's message of 2017-03-14 13:04:37 -0400: >> Team, >> >> So one more thing popped up again on IRC: >> https://etherpad.openstack.org/p/oslo.config_etcd_backend >> >> What do you think? interested in this work? >> >> Thanks, >> Dims >> >> PS: Between this thread and the other one about Tooz/DLM and >> os-lively, we can probably make a good case to add etcd as a base >> always-on service. >> > > This is a cool idea, and I think we should do it. > > A few loose ends I'd like to see in a spec: > > * Security Security Security. (Hoping if I say it 3 times a real > security person will appear and ask the hard questions).
I don't consider myself as a Security expert but in little knowledge: - etcd v2 API allows authentification: https://coreos.com/etcd/docs/latest/v2/authentication.html - etcd supports SSL/TLS as well as authentication through client certificates, both for clients to server as well as peer (server to server / cluster) communication Which sounds pretty secure at this stage, comparing to what we have now: config files with passwords and secrets everywhere. > * Explain clearly how operators would inspect, edit, and diff their > configs. That's a good question and we clearly need a tool to query etcd and grab all parameters + values from a project in particular. One other aspect that we could see is, thanks to https://review.openstack.org/#/c/440835/ - we would have a single interface that expose all parameters in a human readable format and let operators manage these parameters (through an UI or just by reading in the file). -- Emilien Macchi __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev