Is there a documentation which records step by step? What is Neutron-LBaaS tenant?
Is it the tenant who is configuring the listener? *OR* is it some tenant which is created for lbaas plugin that is the having all secrets for all tenants configuring lbaas. >>You need to set up ACLs on the Barbican side for that container, to make it >>readable to the Neutron-LBaaS tenant. I checked the ACL docs http://docs.openstack.org/developer/barbican/api/quickstart/acls.html The ACL API is to allow “users”(not “Tenants”) access to secrets/containers. What is the API or CLI that the admin will use to allow access of the tenant’s secret+container to Neutron-LBaaS tenant. From: Adam Harwell [mailto:adam.harw...@rackspace.com] Sent: 15 September 2015 03:00 To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant? You need to set up ACLs on the Barbican side for that container, to make it readable to the Neutron-LBaaS tenant. For now, the tenant-id should just be documented, but we are looking into making an API call that would expose the admin tenant-id to the user so they can make an API call to discover it. Once the user has the neutron-lbaas tenant ID, they use the Barbican ACL system to add that ID as a readable user of the container and all of the secrets. Then Neutron-LBaaS hits barbican with the credentials of the admin tenant, and is granted access to the user’s container. --Adam https://keybase.io/rm_you From: Vijay Venkatachalam <vijay.venkatacha...@citrix.com<mailto:vijay.venkatacha...@citrix.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Friday, September 11, 2015 at 2:35 PM To: "OpenStack Development Mailing List (openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: [openstack-dev] [neutron][lbaas] Is SSL offload config possible using non "admin" tenant? Hi, Has anyone tried configuring SSL Offload as a tenant? During listener creation there is an error thrown saying ‘could not locate/find container’. The lbaas plugin is not able to fetch the tenant’s certificate. From the code it looks like the lbaas plugin is tyring to connect to barbican with keystone details provided in neutron.conf Which is by default username = “admin” and tenant_name =”admin”. This means lbaas plugin is looking for tenant’s ceritifcate in “admin” tenant, which it will never be able to find. What is the procedure for the lbaas plugin to get hold of the tenant’s certificate? Assuming “admin” user has access to all tenant’s certificates. Should the lbaas plugin connect to barbican with username=’admin’ and tenant_name = listener’s tenant_name? Is this, the way forward ? *OR* Am I missing something? Thanks, Vijay V.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
