You need to set up ACLs on the Barbican side for that container, to make it readable to the Neutron-LBaaS tenant. For now, the tenant-id should just be documented, but we are looking into making an API call that would expose the admin tenant-id to the user so they can make an API call to discover it.
Once the user has the neutron-lbaas tenant ID, they use the Barbican ACL system to add that ID as a readable user of the container and all of the secrets. Then Neutron-LBaaS hits barbican with the credentials of the admin tenant, and is granted access to the user’s container. --Adam https://keybase.io/rm_you From: Vijay Venkatachalam <[email protected]<mailto:[email protected]>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <[email protected]<mailto:[email protected]>> Date: Friday, September 11, 2015 at 2:35 PM To: "OpenStack Development Mailing List ([email protected]<mailto:[email protected]>)" <[email protected]<mailto:[email protected]>> Subject: [openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant? Hi, Has anyone tried configuring SSL Offload as a tenant? During listener creation there is an error thrown saying ‘could not locate/find container’. The lbaas plugin is not able to fetch the tenant’s certificate. From the code it looks like the lbaas plugin is tyring to connect to barbican with keystone details provided in neutron.conf Which is by default username = “admin” and tenant_name =”admin”. This means lbaas plugin is looking for tenant’s ceritifcate in “admin” tenant, which it will never be able to find. What is the procedure for the lbaas plugin to get hold of the tenant’s certificate? Assuming “admin” user has access to all tenant’s certificates. Should the lbaas plugin connect to barbican with username=’admin’ and tenant_name = listener’s tenant_name? Is this, the way forward ? *OR* Am I missing something? Thanks, Vijay V.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
