Discussion:
[Glare][TC][All] Past, Present and Future of Glare project
(too old to reply)
Mikhail Fedosin
2017-06-26 14:35:29 UTC
Permalink
Hello! It's me again. I hasten to inform you about the latest news in Glare
project!

To begin with, I want to say that:

First, we created the stable branch (stable/ocata), which is already used
in production. This is undoubtedly a joyful event and the result of long
months of work!
Secondly, we are adding integration with the Mistral:
https://review.openstack.org/#/c/473898/
Third, we moved on to the active implementation of new features. In
general, I promised them for a long time already, but we decided to devote
the last few months to stabilize the project and make it good for
production. The next big release is scheduled for late August, and there we
will add:
* ACLs aka sharing of artifacts, where tenants can share their artifacts
with the other.
* Dynamic quotas, when the operator can choose how much data for what
type a particular tenant can upload (for instance, Anna can upload 1 Tb of
images and 100Mb of heat templates; Betty can upload 500Gb of images and
50Mb of heat templates, and so on)
* Asynchronous data processing, which can be used for background
conversion and validation of large amounts of data on the server side.
* Storage of secrets - a new artifact type in Glare, which will store
private information (keys, passwords, etc.) in an encrypted form (like in
Barbican).

Now I want to discuss a few questions with OpenStack community and get some
opinions.

1. Generally speaking, I want to make the development of Glare more open
and create a community around the project. Now the development of Glare
engaged in two full-time engineers from Nokia plus me. But as you can see
we have a large list of tasks, and we will gladly accept more people.
Perhaps someone from Glance, Nova or Cinder projects will want to
participate in the development.

2. We would like to become an official OpenStack project, and in general we
follow all the necessary rules and recommendations, starting from weekly
IRC meetings and our own channel, to Apache license and Keystone support.
For this reason, I want to file an application and hear objections and
recommendations on this matter.

3. Finally, I want to discuss the future of the project and its role in
OpenStack. As has been noted many times, the project is capable of much
more, and we only need to find the right application for it. I believe that
this issue will be conceptually discussed in Denver, but nevertheless we
must prepare for it right now.

Thanks in advance for your suggestions!

Best,
Mike
Jay Pipes
2017-06-26 14:45:13 UTC
Permalink
Post by Mikhail Fedosin
* Storage of secrets - a new artifact type in Glare, which will store
private information (keys, passwords, etc.) in an encrypted form (like
in Barbican).
Does the above mean you are implementing a share secret storage solution
or that you are going to use an existing solution like Barbican that
does that?

Best,
-jay

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin
Mikhail Fedosin
2017-06-26 15:32:13 UTC
Permalink
Post by Mikhail Fedosin
* Storage of secrets - a new artifact type in Glare, which will store
private information (keys, passwords, etc.) in an encrypted form (like in
Barbican).
Does the above mean you are implementing a share secret storage solution or
that you are going to use an existing solution like Barbican that does that?

Sectets is a plugin for Glare we developed for Nokia CloudBand platform,
and they just decided to opensource it. It doesn't use Barbican,
technically it is oslo.versionedobjects class.


Best,
-jay
Jay Pipes
2017-06-26 16:06:25 UTC
Permalink
Post by Mikhail Fedosin
* Storage of secrets - a new artifact type in Glare, which
will store private information (keys, passwords, etc.) in an
encrypted form (like in Barbican).
Does the above mean you are implementing a share secret storage
solution or that you are going to use an existing solution like
Barbican that does that?
Sectets is a plugin for Glare we developed for Nokia CloudBand platform,
and they just decided to opensource it. It doesn't use Barbican,
technically it is oslo.versionedobjects class.
Sorry to hear that you opted not to use Barbican.

But, I'm confused what oslo.versionedobjects has to do with secrets
storage. Could you explain?

Best,
-jay

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinf
Mikhail Fedosin
2017-06-26 18:29:49 UTC
Permalink
Post by Mikhail Fedosin
* Storage of secrets - a new artifact type in Glare, which
will store private information (keys, passwords, etc.) in an
encrypted form (like in Barbican).
Does the above mean you are implementing a share secret storage
solution or that you are going to use an existing solution like
Barbican that does that?
Sectets is a plugin for Glare we developed for Nokia CloudBand platform,
and they just decided to opensource it. It doesn't use Barbican,
technically it is oslo.versionedobjects class.
Sorry to hear that you opted not to use Barbican.

I think it's only because Keycloak integration is required by Nokia's
system and Barbican doesn't support it.


But, I'm confused what oslo.versionedobjects has to do with secrets
storage. Could you explain?

Oslo.versionedobjects just defines a structure of artifact type. But we
also implemented two new field types for oslo_vo - Blob and Folder, which
can be used similar to Integer or String.

When user tries to write data to a Blob field it is automatically decoded
and uploaded to a cloud store by glance_store library. And vice versa -
when user reads data from the Blob field it is dowloaded from the store and
decoded.

So, consider Glare as a synergy of glance_store and oslo.versionedobjects
with RESTful API above it.



Best,
-jay
Thierry Carrez
2017-06-27 08:42:24 UTC
Permalink
Post by Jay Pipes
Does the above mean you are implementing a share secret storage
solution or that you are going to use an existing solution like
Barbican that does that?
Sectets is a plugin for Glare we developed for Nokia CloudBand
platform, and they just decided to opensource it. It doesn't
use Barbican, technically it is oslo.versionedobjects class.
Sorry to hear that you opted not to use Barbican.
I think it's only because Keycloak integration is required by Nokia's
system and Barbican doesn't support it.
Any technical reason why it couldn't be added to Barbican ? Any chance
Keycloak integration could be added as a Castellan backend ? Secrets
management is really one of those things that should *not* be reinvented
in every project. It is easier to get wrong than people think, and you
end up having to do security audits on 10 repositories instead of one.
--
Thierry Carrez (ttx)

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/li
Adam Heczko
2017-06-27 09:35:42 UTC
Permalink
Barbican already supports multiple secret storage backends [1] and most
likely adding Keycloak's one [2] should be possible.

[1]
https://docs.openstack.org/project-install-guide/key-manager/draft/barbican-backend.html
[2] https://github.com/jpkrohling/secret-store
Post by Jay Pipes
Post by Jay Pipes
Does the above mean you are implementing a share secret
storage
Post by Jay Pipes
solution or that you are going to use an existing solution
like
Post by Jay Pipes
Barbican that does that?
Sectets is a plugin for Glare we developed for Nokia CloudBand
platform, and they just decided to opensource it. It doesn't
use Barbican, technically it is oslo.versionedobjects class.
Sorry to hear that you opted not to use Barbican.
I think it's only because Keycloak integration is required by Nokia's
system and Barbican doesn't support it.
Any technical reason why it couldn't be added to Barbican ? Any chance
Keycloak integration could be added as a Castellan backend ? Secrets
management is really one of those things that should *not* be reinvented
in every project. It is easier to get wrong than people think, and you
end up having to do security audits on 10 repositories instead of one.
--
Thierry Carrez (ttx)
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Adam Heczko
Security Engineer @ Mirantis Inc.
Jay Pipes
2017-06-27 12:33:42 UTC
Permalink
From what I can tell, Keycloak is an Identity provider, not a secret store?

-jay
Post by Adam Heczko
Barbican already supports multiple secret storage backends [1] and most
likely adding Keycloak's one [2] should be possible.
[1]
https://docs.openstack.org/project-install-guide/key-manager/draft/barbican-backend.html
[2] https://github.com/jpkrohling/secret-store
Post by Jay Pipes
Does the above mean you are implementing a share secret storage
solution or that you are going to use an existing solution like
Barbican that does that?
Sectets is a plugin for Glare we developed for Nokia CloudBand
platform, and they just decided to opensource it. It doesn't
use Barbican, technically it is oslo.versionedobjects class.
Sorry to hear that you opted not to use Barbican.
I think it's only because Keycloak integration is required by Nokia's
system and Barbican doesn't support it.
Any technical reason why it couldn't be added to Barbican ? Any chance
Keycloak integration could be added as a Castellan backend ? Secrets
management is really one of those things that should *not* be reinvented
in every project. It is easier to get wrong than people think, and you
end up having to do security audits on 10 repositories instead of one.
--
Thierry Carrez (ttx)
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
--
Adam Heczko
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Mikhail Fedosin
2017-06-27 15:41:58 UTC
Permalink
Post by Jay Pipes
From what I can tell, Keycloak is an Identity provider, not a secret store?
Yes! I should explain more detailed.
CloudBand is a big enterprise system for SDN and OpenStack is a part of it.
The default Identity provider of the system is Keycloak.
Currently Glare is used there not as a part of OpenStack deployment, but as
a standalone service outside of OpenStack.
For this reason earlier this year we implemented Keycloak auth middleware
for the server and authentication mechanism in the client,
i.e. we can use Keycloak instead of Keystone.

The decision regarding the secrets was taken, on the grounds that Barbican
does not have such ability, and it's tightly attached
to Keystone. Moreover it was not difficult to implement the plugin for
Glare.
As I said - originally this is a private plugin, which was decided to
opensource for the OpenStack community. If this is not required, then
we can always cancel it. I don't see any problems with this.
Post by Jay Pipes
-jay
Post by Adam Heczko
Barbican already supports multiple secret storage backends [1] and most
likely adding Keycloak's one [2] should be possible.
[1] https://docs.openstack.org/project-install-guide/key-manager
/draft/barbican-backend.html
[2] https://github.com/jpkrohling/secret-store
Post by Jay Pipes
Does the above mean you are implementing a share secret
storage
Post by Jay Pipes
solution or that you are going to use an existing
solution like
Post by Jay Pipes
Barbican that does that?
Sectets is a plugin for Glare we developed for Nokia
CloudBand
Post by Jay Pipes
platform, and they just decided to opensource it. It
doesn't
Post by Jay Pipes
use Barbican, technically it is oslo.versionedobjects class.
Sorry to hear that you opted not to use Barbican.
I think it's only because Keycloak integration is required by
Nokia's
Post by Jay Pipes
system and Barbican doesn't support it.
Any technical reason why it couldn't be added to Barbican ? Any chance
Keycloak integration could be added as a Castellan backend ? Secrets
management is really one of those things that should *not* be reinvented
in every project. It is easier to get wrong than people think, and you
end up having to do security audits on 10 repositories instead of one.
--
Thierry Carrez (ttx)
____________________________________________________________
______________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
--
Adam Heczko
____________________________________________________________
______________
OpenStack Development Mailing List (not for usage questions)
e
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Flavio Percoco
2017-06-27 07:19:52 UTC
Permalink
Post by Mikhail Fedosin
2. We would like to become an official OpenStack project, and in general we
follow all the necessary rules and recommendations, starting from weekly
IRC meetings and our own channel, to Apache license and Keystone support.
For this reason, I want to file an application and hear objections and
recommendations on this matter.
Note that IRC meetings are not a requirement anymore: https://review.openstack.org/#/c/462077/

As far as the rest of the process goes, it looks like you are all good to go.
I'd recommend you to submit the request to the governance repo and let the
discussion begin: https://governance.openstack.org/tc/reference/new-projects-requirements.html

Flavio

--
@flaper87
Flavio Percoco
Mikhail Fedosin
2017-06-27 15:44:04 UTC
Permalink
Post by Flavio Percoco
Post by Mikhail Fedosin
2. We would like to become an official OpenStack project, and in general we
follow all the necessary rules and recommendations, starting from weekly
IRC meetings and our own channel, to Apache license and Keystone support.
For this reason, I want to file an application and hear objections and
recommendations on this matter.
https://review.openstack.org/#/c/462077/
As far as the rest of the process goes, it looks like you are all good to go.
I'd recommend you to submit the request to the governance repo and let the
discussion begin: https://governance.openstack.o
rg/tc/reference/new-projects-requirements.html
Flavio
Thank you Flavio - it's exactly what I suppose to do!
Post by Flavio Percoco
--
@flaper87
Flavio Percoco
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Continue reading on narkive:
Loading...