-----Original Message----- From: Adam Young <ayo...@redhat.com> Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Date: March 20, 2016 at 12:03:01 To: openstack-dev@lists.openstack.org <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [oslo][all] What would you like changed/fixed/new in oslo??
> On 03/19/2016 11:33 PM, Joshua Harlow wrote: > > Howday all, > > > > Just to start some conversation for the next cycle, > > > > I wanted to start thinking about what folks may like to see in oslo > > (or yes, even what u dislike in any of the oslo libraries). > > > > For those who don't know, oslo[1] is a lot of libraries (27+) so one > > of my complaints (and one I will try to help make better) is that most > > people probably don't know what the different 'offerings' of these > > libraries are or how to use them (docs, tutorials, docs, and more docs). > > > > I'll pick another pet-peeve of mine as a second one to get people > > thinking. > > > > 2) The lack of oslo.messaging having a good security scheme (even > > something basic as a hmac or signature that can be verified, this > > scares the heck out of me what is possible over RPC) turned on by > > default so I'd like to start figuring out how to get *something* > > (basic == HMAC signature, or maybe advanced == barbican or ???) > > Red Herring. We don't need HMAC. We need to make better use of the > tools in Rabbit. > > 1. Split the vhosts between notifications and control plan. The code > is in place to do this already, but we need to update the configuration > tools to make use of that. I'd agree that this definitely makes sense. > 2. Drop the default login and password. All services, and all compute > nodes should get their own Rabbit user and an autogenerated password. > Even better would be to use Client Certificate validaltion, but that > requires a CA. The OpenStack Ansible project already does this. I'd be surprised if the other deployment projects aren't already doing this. Besides I'm not certain this is something that oslo/oslo.messaging can enforce. > 3. We desperately need a CA story. Like Anchor (https://wiki.openstack.org/wiki/Security/Projects/Anchor, https://git.openstack.org/openstack/anchor)? -- Ian Cordasco __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev