Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-27 Thread Mikhail Fedosin 
On Tue, Jun 27, 2017 at 10:19 AM, Flavio Percoco  wrote:

> On 26/06/17 17:35 +0300, Mikhail Fedosin wrote:
>
>> 2. We would like to become an official OpenStack project, and in general
>> we
>> follow all the necessary rules and recommendations, starting from weekly
>> IRC meetings and our own channel, to Apache license and Keystone support.
>> For this reason, I want to file an application and hear objections and
>> recommendations on this matter.
>>
>
> Note that IRC meetings are not a requirement anymore:
> https://review.openstack.org/#/c/462077/
>
> As far as the rest of the process goes, it looks like you are all good to
> go.
> I'd recommend you to submit the request to the governance repo and let the
> discussion begin: https://governance.openstack.o
> rg/tc/reference/new-projects-requirements.html
>
> Flavio
>

Thank you Flavio - it's exactly what I suppose to do!

>
> --
> @flaper87
> Flavio Percoco
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-27 Thread Mikhail Fedosin 
On Tue, Jun 27, 2017 at 3:33 PM, Jay Pipes  wrote:

> From what I can tell, Keycloak is an Identity provider, not a secret store?
>
> Yes! I should explain more detailed.

CloudBand is a big enterprise system for SDN and OpenStack is a part of it.
The default Identity provider of the system is Keycloak.
Currently Glare is used there not as a part of OpenStack deployment, but as
a standalone service outside of OpenStack.
For this reason earlier this year we implemented Keycloak auth middleware
for the server and authentication mechanism in the client,
i.e. we can use Keycloak instead of Keystone.

The decision regarding the secrets was taken, on the grounds that Barbican
does not have such ability, and it's tightly attached
to Keystone. Moreover it was not difficult to implement the plugin for
Glare.
As I said - originally this is a private plugin, which was decided to
opensource for the OpenStack community. If this is not required, then
we can always cancel it. I don't see any problems with this.


> -jay
>
> On 06/27/2017 05:35 AM, Adam Heczko wrote:
>
>> Barbican already supports multiple secret storage backends [1] and most
>> likely adding Keycloak's one [2] should be possible.
>>
>> [1] https://docs.openstack.org/project-install-guide/key-manager
>> /draft/barbican-backend.html
>> [2] https://github.com/jpkrohling/secret-store
>>
>> On Tue, Jun 27, 2017 at 10:42 AM, Thierry Carrez > > wrote:
>>
>> Mikhail Fedosin wrote:
>> > Does the above mean you are implementing a share secret
>> storage
>> > solution or that you are going to use an existing
>> solution like
>> > Barbican that does that?
>> >
>> > Sectets is a plugin for Glare we developed for Nokia
>> CloudBand
>> > platform,   and they just decided to opensource it. It
>> doesn't
>> > use Barbican, technically it is oslo.versionedobjects class.
>> >
>> > Sorry to hear that you opted not to use Barbican.
>> >
>> > I think it's only because Keycloak integration is required by
>> Nokia's
>> > system and Barbican doesn't support it.
>>
>> Any technical reason why it couldn't be added to Barbican ? Any chance
>> Keycloak integration could be added as a Castellan backend ? Secrets
>> management is really one of those things that should *not* be
>> reinvented
>> in every project. It is easier to get wrong than people think, and you
>> end up having to do security audits on 10 repositories instead of one.
>>
>> --
>> Thierry Carrez (ttx)
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> > >
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>>
>>
>>
>>
>> --
>> Adam Heczko
>> Security Engineer @ Mirantis Inc.
>>
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-27 Thread Jay Pipes 

From what I can tell, Keycloak is an Identity provider, not a secret store?

-jay

On 06/27/2017 05:35 AM, Adam Heczko wrote:
Barbican already supports multiple secret storage backends [1] and most 
likely adding Keycloak's one [2] should be possible.


[1] 
https://docs.openstack.org/project-install-guide/key-manager/draft/barbican-backend.html

[2] https://github.com/jpkrohling/secret-store

On Tue, Jun 27, 2017 at 10:42 AM, Thierry Carrez > wrote:


Mikhail Fedosin wrote:
> Does the above mean you are implementing a share secret 
storage
> solution or that you are going to use an existing solution 
like
> Barbican that does that?
>
> Sectets is a plugin for Glare we developed for Nokia CloudBand
> platform,   and they just decided to opensource it. It doesn't
> use Barbican, technically it is oslo.versionedobjects class.
>
> Sorry to hear that you opted not to use Barbican.
>
> I think it's only because Keycloak integration is required by Nokia's
> system and Barbican doesn't support it.

Any technical reason why it couldn't be added to Barbican ? Any chance
Keycloak integration could be added as a Castellan backend ? Secrets
management is really one of those things that should *not* be reinvented
in every project. It is easier to get wrong than people think, and you
end up having to do security audits on 10 repositories instead of one.

--
Thierry Carrez (ttx)

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





--
Adam Heczko
Security Engineer @ Mirantis Inc.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-27 Thread Adam Heczko 
Barbican already supports multiple secret storage backends [1] and most
likely adding Keycloak's one [2] should be possible.

[1]
https://docs.openstack.org/project-install-guide/key-manager/draft/barbican-backend.html
[2] https://github.com/jpkrohling/secret-store

On Tue, Jun 27, 2017 at 10:42 AM, Thierry Carrez 
wrote:

> Mikhail Fedosin wrote:
> > Does the above mean you are implementing a share secret
> storage
> > solution or that you are going to use an existing solution
> like
> > Barbican that does that?
> >
> > Sectets is a plugin for Glare we developed for Nokia CloudBand
> > platform,   and they just decided to opensource it. It doesn't
> > use Barbican, technically it is oslo.versionedobjects class.
> >
> > Sorry to hear that you opted not to use Barbican.
> >
> > I think it's only because Keycloak integration is required by Nokia's
> > system and Barbican doesn't support it.
>
> Any technical reason why it couldn't be added to Barbican ? Any chance
> Keycloak integration could be added as a Castellan backend ? Secrets
> management is really one of those things that should *not* be reinvented
> in every project. It is easier to get wrong than people think, and you
> end up having to do security audits on 10 repositories instead of one.
>
> --
> Thierry Carrez (ttx)
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-27 Thread Thierry Carrez 
Mikhail Fedosin wrote:
> Does the above mean you are implementing a share secret storage
> solution or that you are going to use an existing solution like
> Barbican that does that?
> 
> Sectets is a plugin for Glare we developed for Nokia CloudBand
> platform,   and they just decided to opensource it. It doesn't
> use Barbican, technically it is oslo.versionedobjects class.
> 
> Sorry to hear that you opted not to use Barbican.
> 
> I think it's only because Keycloak integration is required by Nokia's
> system and Barbican doesn't support it. 

Any technical reason why it couldn't be added to Barbican ? Any chance
Keycloak integration could be added as a Castellan backend ? Secrets
management is really one of those things that should *not* be reinvented
in every project. It is easier to get wrong than people think, and you
end up having to do security audits on 10 repositories instead of one.

-- 
Thierry Carrez (ttx)

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-27 Thread Flavio Percoco 

On 26/06/17 17:35 +0300, Mikhail Fedosin wrote:

2. We would like to become an official OpenStack project, and in general we
follow all the necessary rules and recommendations, starting from weekly
IRC meetings and our own channel, to Apache license and Keystone support.
For this reason, I want to file an application and hear objections and
recommendations on this matter.


Note that IRC meetings are not a requirement anymore: 
https://review.openstack.org/#/c/462077/

As far as the rest of the process goes, it looks like you are all good to go.
I'd recommend you to submit the request to the governance repo and let the
discussion begin: 
https://governance.openstack.org/tc/reference/new-projects-requirements.html

Flavio

--
@flaper87
Flavio Percoco


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-26 Thread Mikhail Fedosin 
On Jun 26, 2017 7:14 PM, "Jay Pipes"  wrote:

On 06/26/2017 11:32 AM, Mikhail Fedosin wrote:


>
> On Jun 26, 2017 5:54 PM, "Jay Pipes"  jaypi...@gmail.com>> wrote:
>
> On 06/26/2017 10:35 AM, Mikhail Fedosin wrote:
>
> * Storage of secrets - a new artifact type in Glare, which
> will store private information (keys, passwords, etc.) in an
> encrypted form (like in Barbican).
>
>
> Does the above mean you are implementing a share secret storage
> solution or that you are going to use an existing solution like
> Barbican that does that?
>
> Sectets is a plugin for Glare we developed for Nokia CloudBand platform,
>  and they just decided to opensource it. It doesn't use Barbican,
> technically it is oslo.versionedobjects class.
>

Sorry to hear that you opted not to use Barbican.

I think it's only because Keycloak integration is required by Nokia's
system and Barbican doesn't support it.


But, I'm confused what oslo.versionedobjects has to do with secrets
storage. Could you explain?

Oslo.versionedobjects just defines a structure of artifact type. But we
also implemented two new field types for oslo_vo - Blob and Folder, which
can be used similar to Integer or String.

When user tries to write data to a Blob field it is automatically decoded
and uploaded to a cloud store by glance_store library. And vice versa -
when user reads data from the Blob field it is dowloaded from the store and
decoded.

So, consider Glare as a synergy of glance_store and oslo.versionedobjects
with RESTful API above it.



Best,
-jay

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-26 Thread Jay Pipes 

On 06/26/2017 11:32 AM, Mikhail Fedosin wrote:



On Jun 26, 2017 5:54 PM, "Jay Pipes" > wrote:


On 06/26/2017 10:35 AM, Mikhail Fedosin wrote:

* Storage of secrets - a new artifact type in Glare, which
will store private information (keys, passwords, etc.) in an
encrypted form (like in Barbican).


Does the above mean you are implementing a share secret storage
solution or that you are going to use an existing solution like
Barbican that does that?

Sectets is a plugin for Glare we developed for Nokia CloudBand platform, 
  and they just decided to opensource it. It doesn't use Barbican, 
technically it is oslo.versionedobjects class.


Sorry to hear that you opted not to use Barbican.

But, I'm confused what oslo.versionedobjects has to do with secrets 
storage. Could you explain?


Best,
-jay

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-26 Thread Mikhail Fedosin 
On Jun 26, 2017 5:54 PM, "Jay Pipes"  wrote:

On 06/26/2017 10:35 AM, Mikhail Fedosin wrote:

>* Storage of secrets - a new artifact type in Glare, which will store
> private information (keys, passwords, etc.) in an encrypted form (like in
> Barbican).
>

Does the above mean you are implementing a share secret storage solution or
that you are going to use an existing solution like Barbican that does that?

Sectets is a plugin for Glare we developed for Nokia CloudBand platform,
 and they just decided to opensource it. It doesn't use Barbican,
technically it is oslo.versionedobjects class.


Best,
-jay

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Glare][TC][All] Past, Present and Future of Glare project

2017-06-26 Thread Jay Pipes 

On 06/26/2017 10:35 AM, Mikhail Fedosin wrote:
   * Storage of secrets - a new artifact type in Glare, which will store 
private information (keys, passwords, etc.) in an encrypted form (like 
in Barbican).


Does the above mean you are implementing a share secret storage solution 
or that you are going to use an existing solution like Barbican that 
does that?


Best,
-jay

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev