[openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas
Hi Guys, With lbaasv2, I noticed that when we try to associate tls containers with lbaas listeners, lbaas tries to validate the container and while doing so, tries to get keystone token based on tenant/user credentials in neutron.conf file. However, the barbican containers could belong to different users in different tenants, in that case, container look up would always fail? Am I missing something? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Varun, I believe the expected workflow for this use case is: 1. User uploads cert + key to Barbican 2. User grants lbass access to the barbican certificate container using the ACL API [1] 3. User requests tls container by providing Barbican container reference Since the user grants the lbass user access in step 2, the token generated using the conf file credentials will be accepted by Barbican and the certificate will be made available to lbass. - - Douglas Mendizábal [1] http://docs.openstack.org/developer/barbican/api/quickstart/acls.htm l On 9/19/15 12:13 AM, Varun Lodaya wrote: > Hi Guys, > > With lbaasv2, I noticed that when we try to associate tls > containers with lbaas listeners, lbaas tries to validate the > container and while doing so, tries to get keystone token based on > tenant/user credentials in neutron.conf file. However, the barbican > containers could belong to different users in different tenants, in > that case, container look up would always fail? Am I missing > something? > > Thanks, Varun > > > __ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJV/PhsAAoJEB7Z2EQgmLX7yYQQAJLI+njJaIyDhG8uyJZiq9Rp KIHFppR0HT10muGxAcUGcDlAFpH6+Ww62fxs6WIbPnGXutK0iwmNOvef3S3+HKLj 0jE4RHcrDQK8dCZ+FRslC3RuF8oxppTOUVHq/IcD9g6JAsFPvmFaPNf5+XLE5z+P a7T+ycfrtoG8ZKDFIv8XJcb4knDKNUT3JLGtLZ8UuEBoQiSZcpm33UUQcUsZgdSE EZPi4GSC9pwfDe3ujxOlPoAgEjKUApMMA+WtdMINLleJrw7FH9YWFXzHGv93Uwrl BBNpZ5QDMCKXd/q2n1IMVj0ejC8EoOL9Wv5ZTvkRFZjDfA2x7P3U24gKGaERj+Lu t4Llsn4PHIaZ+DFchI4SjPblApYQ4CGDYDzh6xqvOFAv3Gfi8strNzSdu4aHOQZM TeaRd6A06nI/J/lA9YzEgZFaOhLlU8iWPfYEAqAHVZTZQrbaTTMwVxbttD++qK/q VJ4jcUfxPyoPuY78sNiJ7W8HuZgaPVxMi/s5rfjcR8NREjOrSkJSQ4eG5OMR3LmA Tem2/pF50a0Awb+RbSIDzDO2nBJzarKYONih+dCF/fgk66BKQC7D8vyujKYRhk5z dHDUhFNnuLg9pmS0rtS9Rthc4bpz2gTph35ZFsjMNm55DfsGcsUoHge1w9HQHjXL edqEMWH4eAZvO5cmioeH =O44k -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas
Hey Douglas, Thanks for the reply. Will look into barbican ACLs and test it out. Also, had 1 more follow up questionŠ 1) Currently the HAProxy LBaaS instance sits on the controller. The certificate download happens on the controller too. 2) Once we move to service-vm model, where service-vms could reside on compute hypervisors, where will the cert download happen? Still on controller in the flow? Thanks, Varun On 9/18/15, 10:53 PM, "Douglas Mendizábal" wrote: >* PGP Signed by an unknown key > >Hi Varun, > >I believe the expected workflow for this use case is: > >1. User uploads cert + key to Barbican >2. User grants lbass access to the barbican certificate container >using the ACL API [1] >3. User requests tls container by providing Barbican container reference > >Since the user grants the lbass user access in step 2, the token >generated using the conf file credentials will be accepted by Barbican >and the certificate will be made available to lbass. > >- Douglas Mendizábal > >[1] http://docs.openstack.org/developer/barbican/api/quickstart/acls.htm >l > >On 9/19/15 12:13 AM, Varun Lodaya wrote: >> Hi Guys, >> >> With lbaasv2, I noticed that when we try to associate tls >> containers with lbaas listeners, lbaas tries to validate the >> container and while doing so, tries to get keystone token based on >> tenant/user credentials in neutron.conf file. However, the barbican >> containers could belong to different users in different tenants, in >> that case, container look up would always fail? Am I missing >> something? >> >> Thanks, Varun >> >> >> __ > >> >> >OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >* Unknown Key >* 0x2098B5FB(L) > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'm not familiar with the low level details of the lbass implementation, so hopefully someone from the lbass team will be able to answer this. The URL I sent last week for the API docs has been updated though. Here's the current URL: http://docs.openstack.org/developer/barbican/api/index.html - - Douglas On 9/21/15 11:41 AM, Varun Lodaya wrote: > Hey Douglas, > > Thanks for the reply. Will look into barbican ACLs and test it out. > Also, had 1 more follow up questionŠ 1) Currently the HAProxy LBaaS > instance sits on the controller. The certificate download happens > on the controller too. 2) Once we move to service-vm model, where > service-vms could reside on compute hypervisors, where will the > cert download happen? Still on controller in the flow? > > Thanks, Varun > > On 9/18/15, 10:53 PM, "Douglas Mendizábal" > wrote: > >> * PGP Signed by an unknown key >> >> Hi Varun, >> >> I believe the expected workflow for this use case is: >> >> 1. User uploads cert + key to Barbican 2. User grants lbass >> access to the barbican certificate container using the ACL API >> [1] 3. User requests tls container by providing Barbican >> container reference >> >> Since the user grants the lbass user access in step 2, the token >> generated using the conf file credentials will be accepted by >> Barbican and the certificate will be made available to lbass. >> >> - Douglas Mendizábal >> >> [1] >> http://docs.openstack.org/developer/barbican/api/quickstart/acls.htm >> >> l >> >> On 9/19/15 12:13 AM, Varun Lodaya wrote: >>> Hi Guys, >>> >>> With lbaasv2, I noticed that when we try to associate tls >>> containers with lbaas listeners, lbaas tries to validate the >>> container and while doing so, tries to get keystone token based >>> on tenant/user credentials in neutron.conf file. However, the >>> barbican containers could belong to different users in >>> different tenants, in that case, container look up would always >>> fail? Am I missing something? >>> >>> Thanks, Varun >>> >>> >>> __ >> >>> >>> >>> >> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> >>> * Unknown Key >> * 0x2098B5FB(L) >> >> _ _ >> >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> > > __ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWADcHAAoJEB7Z2EQgmLX7Me8QAJ1gTTMecCoWZBReLe+k5t98 8YIdoMjWgcavVTB+v08r5UYlsyLb5CkUQdWVagb+af9fQFThGvrEZKycffI078cb KoNW/ow0MQTTBEhrVDr2x800NuG3uitUAFKdNfPkhiB+4NWXrRnlIYD+XVMAJQ0L 2n7PFIC/F2VckSdUofhTJwAYBVGTRS/OL1G6dsxKh1LD3DEswKxyXb7TgVKaI2AO os5z0BRCiP4Y1Dl+vLN9C4Hj5/juFF9aVe8wmNTCwUUb/auXhjhNiy75BKmNwu1r kL2iPBCjjFFhx4JItZ/WJFhdGkceG+F5C4TeqJM7SUPM7SNXlXbhi2sTeb+WxvQE SjrdjEiRlzM/JCzsj1s634TwgJvLPmmRhxVnOgVm1mlXwgPaAk7b8PMXDik1Wkrq JzIorRb83XnV14yoJAh7kOrxxOlnB1UjnYh7YPr0KwYACkP8QQFkXxuzcePGUkOa cLDmu3kfofASOQEpLsbbn2Eu9/FIzwvJDXVbdr/nDYtzDUJiBi6AitMVal0H7kJs 0IdXZcaR7vt73Ln9RPCr6+3nMC57odB06cgDalLeG1Kn5pPY/MWkYZol7d+v2H7y c+nN7tAGaCsLzyhnhUffvns/ogSjTTW+JH2tfVDwf2pSTQhPvppcXBGXi8w95Ood KFZ5W9p/tAP4BEsWGNtS =6fJ9 -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
