<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Atiwari</id>
		<title>OpenStack - User contributions [en]</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Atiwari"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/wiki/Special:Contributions/Atiwari"/>
		<updated>2026-07-08T17:54:53Z</updated>
		<subtitle>User contributions</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=93835</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=93835"/>
				<updated>2015-10-21T16:20:48Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Contributors */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Contributors==&lt;br /&gt;
# Arvind Tiwari (atiwari)&lt;br /&gt;
# Dave McCowan (dave-mccowam)&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also also done a great job, providing support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.&lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# KMS interface for Applications.&lt;br /&gt;
# KMS interface and key injection for containers. &lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
# Encryption agent for IoT devices.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Use of generic image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Use of deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=93834</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=93834"/>
				<updated>2015-10-21T16:19:58Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Contributors==&lt;br /&gt;
Arvind Tiwari (atiwari)&lt;br /&gt;
Dave McCowan (dave-mccowam)&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also also done a great job, providing support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.&lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# KMS interface for Applications.&lt;br /&gt;
# KMS interface and key injection for containers. &lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
# Encryption agent for IoT devices.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Use of generic image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Use of deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=92581</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=92581"/>
				<updated>2015-10-14T20:57:22Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Roadmap */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also also done a great job, providing support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.&lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# KMS interface for Applications.&lt;br /&gt;
# KMS interface and key injection for containers. &lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
# Encryption agent for IoT devices.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Use of generic image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Use of deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=92580</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=92580"/>
				<updated>2015-10-14T20:55:03Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Roadmap */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also also done a great job, providing support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.&lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# Key interface for containers. &lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
# Containers Integration.&lt;br /&gt;
# Encryption agent for IoT device.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Use of generic image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Use of deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=91732</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=91732"/>
				<updated>2015-10-05T16:01:35Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* How to inject agent in the VM */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also also done a great job, providing support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.&lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# Key interface for containers. &lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Use of generic image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Use of deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=91731</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=91731"/>
				<updated>2015-10-05T16:00:22Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Roadmap */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also also done a great job, providing support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.&lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# Key interface for containers. &lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=91730</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=91730"/>
				<updated>2015-10-05T15:54:15Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also also done a great job, providing support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.&lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=90690</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=90690"/>
				<updated>2015-09-21T18:42:54Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the last 5 years, the OpenStack community has provided support for core cloud services such as Nova, Glance, Cinder, Neutron, Keystone, and Barbican.  These core services provide the fundamental features for most OpenStack deployments.  The community has also provided cloud support services such as Heat, Horizon, Ceilometer, and Monasca, which helps cloud providers and consumers to interact with and manage cloud resources.  &lt;br /&gt;
One area which has not received as much attention is the area of volume encryption.  The import of data security is evident now more than ever.  With scrutiny of OpenStack’s current volume encryption offering, it has become apparent that large gaps exist and this is an area deserving of more attention.   Project Marshal is a new initiative in the community aimed at addressing those gaps, and improving overall data security within the OpenStack platform.  &lt;br /&gt;
&lt;br /&gt;
==Recent Evolution Of OpenStack Volume Encryption==&lt;br /&gt;
Recently, OpenStack Barbican has evolved from a key storage facility to more of a key management facility.  It has received many useful features and some are still in the pipeline, but it is still not used in handling many of the desired volume encryption use cases.  In the current flow of volume encryption, when a user chooses to create an encrypted volume using the Cinder API, an associated encryption key will be created in Barbican.  A key reference is stored in Cinder along with the disk metadata.  The key is later retrieved by Nova from Barbican and provided to the disk encryption subsystem (eg, dm-crypt) while attaching the disk to VM, causing all subsequent I/O to the disk to be encrypted.&lt;br /&gt;
There are some gaps in the current flow.  E.g., it is not very transparent to end users; only one key can be used at a time and there is no way users can change the encryption key.  This flow is very tightly integrated with OpenStack components.  This is good for users of those OpenStack components, but there are cases where, e.g., users want to use a non-OpenStack KMS.   As well, the current volume encryption implementation focus mostly on Linux based VMs with little support for Windows VMs.  On-premise KMS (vs cloud-based KMS) is another use case which is not covered in the current flow.&lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
Marshal is a new service/tool in the OpenStack community aimed at filling the above-mentioned gaps; it approaches volume encryption in a new way.  Marshal is an agent service running inside guest virtual machines (VMs), which will be responsible for securely fetching encryption keys from the KMS (e.g., Barbican).  This agent will interface with the disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.  In the case of Linux VMs, this agent will be interfacing with dm-crypt and for Microsoft VMs, it will be interfacing with Bit-locker.   The Marshal agent provides an abstraction service and can be integrated with other encryption subsystem if needed.   The agent will read keys from the KMS – storing them only in temporary/volatile storage – then forgets the keys immediately after providing them as needed to the disk encryption subsystem.&lt;br /&gt;
The foreseen benefits of this approach are outlined below under the “Benefits” section.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=90008</id>
		<title>Inter Cloud Resource Federation</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=90008"/>
				<updated>2015-09-11T11:53:34Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=Intercloud Resource Federation ('''Alliance''')=&lt;br /&gt;
&lt;br /&gt;
===Arvind Tiwari===&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Cloud based services are a growing business trend in the IT industry, where service providers establish cloud and offer computing resources (Infrastructure, Platform and Software) to consumers. Consumers often require computing resources across multiple regions, to address their application needs. Single cloud provider may not be able to address such requests due to lack of presence or capacity in multiple regions.  This blueprint proposes a solution to address this concern by introducing a concept of InterCloud Resource Federation (a.k.a. Alliance). Using this technical approach multiple cloud entities can work in alliance to form a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
= Problem =&lt;br /&gt;
This blueprint is trying to address following problems&lt;br /&gt;
&lt;br /&gt;
=== Multi Region Capability ===&lt;br /&gt;
Enterprises are adopting cloud based service to address their growing computing workload and they often want resources across multiple regions. These regions sometimes span across multiple geographical boundaries. &lt;br /&gt;
&lt;br /&gt;
Single providers may not be able to address such requests as setting up huge cloud across multiple regions is a costly and risky investment. Providers often want to lease resources from other provider cross regions to fulfill customer computing workload.&lt;br /&gt;
&lt;br /&gt;
=== Virtual Private Cloud or Cloud Leasing ===&lt;br /&gt;
Vendors want to lease resources to other service providers or customers who want have VPC (Virtual Private Cloud). Unlike other service providers these vendors want to target large  consumers. &lt;br /&gt;
&lt;br /&gt;
Cloud service providers have idle computing resources which are not making revenue. Service provider wants to lease these resources to another provider who are in need of these resources.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Bursting ===&lt;br /&gt;
In private in-house cloud deployments, enterprises want to bursts into a public/separate cloud when the demand for computing capacity spikes.&lt;br /&gt;
&lt;br /&gt;
=== Joint Venture Cloud ===&lt;br /&gt;
Setting up a Cloud with massive resource capacity is time consuming and very costly venture; not everyone would like to invest in such a big venture. Business partners like to invest in  joint ventures to make a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
=== Merger and Acquisitions ===&lt;br /&gt;
Merger of business entities are common, integration/utilization of cloud enabled computing resources of two business enterprises are troublesome due to lack of technology. An enterprise expects seamless integration of two cloud entities after merger with anticipation of effective and prompt resource utilization.&lt;br /&gt;
&lt;br /&gt;
=== Expensive Architecture ===&lt;br /&gt;
Building multi region architecture to join multiple data centers using dedicated/leased lines is costly and creates tight coupling. This solution is also not a scalable solution for incremental growth.&lt;br /&gt;
&lt;br /&gt;
= Solution =&lt;br /&gt;
OpenStack provides an open source cloud computing platform which is getting huge industry adoption for building up private/public/hybrid cloud. OpenStack based cloud deployments provide Infrastructure and Platform services capabilities to cloud providers. OpenStack inherited cloud entities are ideal candidates to work in alliances to form InterCloud Federation, as their API and Resource models are identical.&lt;br /&gt;
&lt;br /&gt;
To address these problems, a new service will be added to the OpenStack services stack which will provide “InterCloud Federation” (a.k.a. '''Alliance''') services to participating cloud entities. This service will be responsible for interconnecting multiple cloud instances and provide an abstraction layer to hide interoperability and integration complexities from the provider and end users. &lt;br /&gt;
&lt;br /&gt;
Cloud providers have to enable this service on their cloud deployments and configure the required artifacts for partner or host cloud entities.&lt;br /&gt;
&lt;br /&gt;
The picture below depicts the resource consumption flow from Host cloud to Partner cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF01.jpg]]&lt;br /&gt;
&lt;br /&gt;
The picture ‘a’ (below), shows integration of multiple data centers with dedicated leased line for data replication. This architecture tightly couples the data centers and it is not cost effective. &lt;br /&gt;
&lt;br /&gt;
Picture ‘b’ portrays the interlinked cloudified data centers through Alliance service. In this model, data exchanges between the participating clouds will be happening on secured (PtoP VPN) Internet channel not on dedicated lines.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF04.jpg]]&lt;br /&gt;
&lt;br /&gt;
=Design Considerations=&lt;br /&gt;
Following are the high level design consideration and functional components of InterCloud Federation Services (a.k.a. '''Alliance'''). &lt;br /&gt;
 &lt;br /&gt;
=== Host Cloud (HC) ===&lt;br /&gt;
A cloud entity consumes resources from different cloud providers. This cloud entity plays a role of “resource consumer” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Partner Cloud (PC) ===&lt;br /&gt;
Cloud instance(s) offer its services to a Host Cloud entity. These cloud entities plays a role of “resource provider” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Pairing ===&lt;br /&gt;
The pairing process is the initial step taken by two cloud providers to work in alliance. This step is required to establish trust between two cloud instances and configure required artifacts. These artifacts include cryptographic keys, cloud identifiers, region/zone information, service availability and InterCloud federation service endpoints. Alliance service endpoints are required for service discovery and inter-cloud token validations.&lt;br /&gt;
&lt;br /&gt;
The pairing process can be done manually by two cloud providers (or it can be automated). Host cloud provider has to configure artifacts for partner cloud entities and partner has to configure artifacts for host cloud(s). Cloud pairing can be bidirectional, in this case one cloud instance will be playing as host cloud in one and partner cloud on other side.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Ticket (ICT) ===&lt;br /&gt;
This ticket is used for the purpose of inter-cloud communication (e.g. Resource discovery, user token validation across clouds). This is a PKI ticket and contains data structure to hold context information required for communication. This ticket will be encrypted using partner’s (destination) public key and signed by host’s (source) private key.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Token Validation ===&lt;br /&gt;
This service is used by two participating cloud entities to validate user token which involve signature validation and ticket decryption to get the actual X-Auth-Token.  This is a part of Alliance service.&lt;br /&gt;
&lt;br /&gt;
=== Region Discovery ===&lt;br /&gt;
This is one of the services provided by ICFS to list available regions (or availability zone). Clients use this service to know what are the available regions or zones offered by a provider. Generally these are static information stored in ICFS system.&lt;br /&gt;
&lt;br /&gt;
=== Service Discovery ===&lt;br /&gt;
This service is used to discover available services in a particular region or zone offered by a partner cloud. This will provide dynamic list of available services from particular partner region.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF02.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Remote Resource Provisioning ===&lt;br /&gt;
&lt;br /&gt;
Resource provisioning is required to allocate limited resource efficiently on the (partner cloud) resource provider cloud. Provisioning is also needed to provide sense of ownership to the end user, for cloud provider (partner/host) provisioning is required to address metering aspect.&lt;br /&gt;
&lt;br /&gt;
Alliance service is responsible for provisioning remote resources. The resource provisioning will be done on local Keystone project at hosting cloud. It also maintains provisioning information in local database. The provisioning info will be used for the purpose of token generation and validation.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF06.jpg]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
In the above picture user maintains his identity at one place (host cloud) and owns resources from remote cloud(s) on a local project. This is another benefit of resource federation, where user can use a single project in host cloud to scope all the remote resources across the cloud(s).&lt;br /&gt;
&lt;br /&gt;
=== Resource Access Across Clouds ===&lt;br /&gt;
Resource access process start by getting an “X-Auth-Token” scoped (1) to local Keystone project of &amp;quot;host&amp;quot; cloud. Keystone service at HC will talk to local Alliance to get information about remote resources associated with project (2).&lt;br /&gt;
&lt;br /&gt;
As part of token response (3) client gets a service catalog containing endpoints to the remote (federated) resources. Client uses the remote resource endpoint to access the resource (4), it provides (X-Host-Cloud-Id) host cloud identifier in request header and the X-Auth-Token{hc} got from host cloud. &lt;br /&gt;
&lt;br /&gt;
Auth middle-ware protecting the resource at partner cloud intercepts the request and makes a call (5) to Keystone for token validation. Keystone delegates (6) such the token validation request to Alliance service which is not issued by it (foreign token) and have X-Host-Cloud-Id header associated.&lt;br /&gt;
 &lt;br /&gt;
Alliance uses the cloud identifier (X-Host-Cloud-Id) from the header to lookup the paired host cloud and it's peer Alliance endpoint. Using the X-Auth-Token{hc}, it forms an InterCloud Federation Ticket and uses paired Alliance endpoint to validate user token (7). &lt;br /&gt;
&lt;br /&gt;
Alliance at HC will coordinate with local Keystone to validate the token (8).  &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (9), Alliance service provide (10) the validate response to Keystone service running at PC. Keystone will caches the token in locale system and respond to middle-ware(11). Keystone will use the cached token for future token validations.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF03.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== X-Auth-Token processing=== &lt;br /&gt;
&lt;br /&gt;
Clients won't like to deal with multiple X-Auth-Tokens to access their resources across clouds (regions). &lt;br /&gt;
&lt;br /&gt;
Following are the options to solve this issue.&lt;br /&gt;
&lt;br /&gt;
====PKI tokens====&lt;br /&gt;
PKI tokens can be used by clients to access resources across clouds. There won't be inter-cloud token validation required to validate the PKI tokens.&lt;br /&gt;
PKI token are proven to be heavy, Federated Token can be a better solution.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens====&lt;br /&gt;
Instead of generating new X-Auth-Token{pc} by partner cloud, partner cloud may choose to use the same X-Auth-Token{hc} issued by host cloud. &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (as explained above) Alliance will cache the token locally and utilize the same X-Auth-Token for future communication. This option can be set as part of cloud pairing depending of level of trust between two cloud providers. &lt;br /&gt;
&lt;br /&gt;
Note: Inter-cloud token validation is one time process or can be done multiple times over the period of communication by clients.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens by Eager Propagation====&lt;br /&gt;
To support federated tokens partner cloud has to do inter-cloud token validation and cache the validate token response to make the future token validation more efficient. Another approach to solve the performance of inter-cloud token validation is to propagate the tokens to partner cloud in push mode. Host cloud will propagate token to the relevant partner using notification route.&lt;br /&gt;
&lt;br /&gt;
=== SSO Across Cloud===&lt;br /&gt;
&lt;br /&gt;
In this mode, clients chooses to use PC's identity (Keystone) endpoint to make auth token request. Client provide credentials, project_id and cloud_id to the PC's identity service. Keystone will coordinate with Alliance service to get the token from remote cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF05.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== SSOut Across Cloud (or InterCloud Token Revocation) ===&lt;br /&gt;
&lt;br /&gt;
Token revocation in an important aspect to maintain the security and system integrity. In case of resource federation use case, tokens revocation become more important as an stale token can cause bigger harm specially to the resource provider clouds.&lt;br /&gt;
&lt;br /&gt;
Inter-cloud token revocation will allow token revocation across cloud, e.g. Host cloud  can initiate the token revocation for a token issued by itself or partner clouds can request/initiate the token revocation of a federated token.&lt;br /&gt;
&lt;br /&gt;
Alliance service is will be the interface between clouds to make the token revocation happen.&lt;br /&gt;
&lt;br /&gt;
=== Notification ===&lt;br /&gt;
Is part of InterCloud Federation Service and used to notify certain events (e.g. Meter, resource de-provisioning etc...) to and from participating clouds.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Issue and Concerns ==&lt;br /&gt;
&lt;br /&gt;
=== Homogeneous vs Heterogeneous Cloud Partners===&lt;br /&gt;
TBD&lt;br /&gt;
&lt;br /&gt;
=Impact=&lt;br /&gt;
&lt;br /&gt;
Following are the high level impact on existing OpenStack service &lt;br /&gt;
&lt;br /&gt;
* Keystone token management subsystem will be impacted to support endpoints for partner services. &lt;br /&gt;
* Keystone service REST API will make an extra call to Alliance service to get list of available remote services.&lt;br /&gt;
* Horizon will be enhanced to integrate with Inter Alliance Service.&lt;br /&gt;
* Other OS Services -  TBD&lt;br /&gt;
&lt;br /&gt;
=Note=&lt;br /&gt;
* This page is in &amp;quot;work in progress&amp;quot; mode.&lt;br /&gt;
* Please excuse any typographical error.&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=90007</id>
		<title>Inter Cloud Resource Federation</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=90007"/>
				<updated>2015-09-11T11:50:19Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=InterCloud Resource Federation ('''Alliance''')=&lt;br /&gt;
&lt;br /&gt;
===Arvind Tiwari===&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Cloud based services are a growing business trend in the IT industry, where service providers establish cloud and offer computing resources (Infrastructure, Platform and Software) to consumers. Consumers often require computing resources across multiple regions, to address their application needs. Single cloud provider may not be able to address such requests due to lack of presence or capacity in multiple regions.  This blueprint proposes a solution to address this concern by introducing a concept of InterCloud Resource Federation (a.k.a. Alliance). Using this technical approach multiple cloud entities can work in alliance to form a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
= Problem =&lt;br /&gt;
This blueprint is trying to address following problems&lt;br /&gt;
&lt;br /&gt;
=== Multi Region Capability ===&lt;br /&gt;
Enterprises are adopting cloud based service to address their growing computing workload and they often want resources across multiple regions. These regions sometimes span across multiple geographical boundaries. &lt;br /&gt;
&lt;br /&gt;
Single providers may not be able to address such requests as setting up huge cloud across multiple regions is a costly and risky investment. Providers often want to lease resources from other provider cross regions to fulfill customer computing workload.&lt;br /&gt;
&lt;br /&gt;
=== Virtual Private Cloud or Cloud Leasing ===&lt;br /&gt;
Vendors want to lease resources to other service providers or customers who want have VPC (Virtual Private Cloud). Unlike other service providers these vendors want to target large  consumers. &lt;br /&gt;
&lt;br /&gt;
Cloud service providers have idle computing resources which are not making revenue. Service provider wants to lease these resources to another provider who are in need of these resources.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Bursting ===&lt;br /&gt;
In private in-house cloud deployments, enterprises want to bursts into a public/separate cloud when the demand for computing capacity spikes.&lt;br /&gt;
&lt;br /&gt;
=== Joint Venture Cloud ===&lt;br /&gt;
Setting up a Cloud with massive resource capacity is time consuming and very costly venture; not everyone would like to invest in such a big venture. Business partners like to invest in  joint ventures to make a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
=== Merger and Acquisitions ===&lt;br /&gt;
Merger of business entities are common, integration/utilization of cloud enabled computing resources of two business enterprises are troublesome due to lack of technology. An enterprise expects seamless integration of two cloud entities after merger with anticipation of effective and prompt resource utilization.&lt;br /&gt;
&lt;br /&gt;
=== Expensive Architecture ===&lt;br /&gt;
Building multi region architecture to join multiple data centers using dedicated/leased lines is costly and creates tight coupling. This solution is also not a scalable solution for incremental growth.&lt;br /&gt;
&lt;br /&gt;
= Solution =&lt;br /&gt;
OpenStack provides an open source cloud computing platform which is getting huge industry adoption for building up private/public/hybrid cloud. OpenStack based cloud deployments provide Infrastructure and Platform services capabilities to cloud providers. OpenStack inherited cloud entities are ideal candidates to work in alliances to form InterCloud Federation, as their API and Resource models are identical.&lt;br /&gt;
&lt;br /&gt;
To address these problems, a new service will be added to the OpenStack services stack which will provide “InterCloud Federation” (a.k.a. '''Alliance''') services to participating cloud entities. This service will be responsible for interconnecting multiple cloud instances and provide an abstraction layer to hide interoperability and integration complexities from the provider and end users. &lt;br /&gt;
&lt;br /&gt;
Cloud providers have to enable this service on their cloud deployments and configure the required artifacts for partner or host cloud entities.&lt;br /&gt;
&lt;br /&gt;
The picture below depicts the resource consumption flow from Host cloud to Partner cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF01.jpg]]&lt;br /&gt;
&lt;br /&gt;
The picture ‘a’ (below), shows integration of multiple data centers with dedicated leased line for data replication. This architecture tightly couples the data centers and it is not cost effective. &lt;br /&gt;
&lt;br /&gt;
Picture ‘b’ portrays the interlinked cloudified data centers through Alliance service. In this model, data exchanges between the participating clouds will be happening on secured (PtoP VPN) Internet channel not on dedicated lines.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF04.jpg]]&lt;br /&gt;
&lt;br /&gt;
=Design Considerations=&lt;br /&gt;
Following are the high level design consideration and functional components of InterCloud Federation Services (a.k.a. '''Alliance'''). &lt;br /&gt;
 &lt;br /&gt;
=== Host Cloud (HC) ===&lt;br /&gt;
A cloud entity consumes resources from different cloud providers. This cloud entity plays a role of “resource consumer” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Partner Cloud (PC) ===&lt;br /&gt;
Cloud instance(s) offer its services to a Host Cloud entity. These cloud entities plays a role of “resource provider” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Pairing ===&lt;br /&gt;
The pairing process is the initial step taken by two cloud providers to work in alliance. This step is required to establish trust between two cloud instances and configure required artifacts. These artifacts include cryptographic keys, cloud identifiers, region/zone information, service availability and InterCloud federation service endpoints. Alliance service endpoints are required for service discovery and inter-cloud token validations.&lt;br /&gt;
&lt;br /&gt;
The pairing process can be done manually by two cloud providers (or it can be automated). Host cloud provider has to configure artifacts for partner cloud entities and partner has to configure artifacts for host cloud(s). Cloud pairing can be bidirectional, in this case one cloud instance will be playing as host cloud in one and partner cloud on other side.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Ticket (ICT) ===&lt;br /&gt;
This ticket is used for the purpose of inter-cloud communication (e.g. Resource discovery, user token validation across clouds). This is a PKI ticket and contains data structure to hold context information required for communication. This ticket will be encrypted using partner’s (destination) public key and signed by host’s (source) private key.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Token Validation ===&lt;br /&gt;
This service is used by two participating cloud entities to validate user token which involve signature validation and ticket decryption to get the actual X-Auth-Token.  This is a part of Alliance service.&lt;br /&gt;
&lt;br /&gt;
=== Region Discovery ===&lt;br /&gt;
This is one of the services provided by ICFS to list available regions (or availability zone). Clients use this service to know what are the available regions or zones offered by a provider. Generally these are static information stored in ICFS system.&lt;br /&gt;
&lt;br /&gt;
=== Service Discovery ===&lt;br /&gt;
This service is used to discover available services in a particular region or zone offered by a partner cloud. This will provide dynamic list of available services from particular partner region.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF02.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Remote Resource Provisioning ===&lt;br /&gt;
&lt;br /&gt;
Resource provisioning is required to allocate limited resource efficiently on the (partner cloud) resource provider cloud. Provisioning is also needed to provide sense of ownership to the end user, for cloud provider (partner/host) provisioning is required to address metering aspect.&lt;br /&gt;
&lt;br /&gt;
Alliance service is responsible for provisioning remote resources. The resource provisioning will be done on local Keystone project at hosting cloud. It also maintains provisioning information in local database. The provisioning info will be used for the purpose of token generation and validation.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF06.jpg]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
In the above picture user maintains his identity at one place (host cloud) and owns resources from remote cloud(s) on a local project. This is another benefit of resource federation, where user can use a single project in host cloud to scope all the remote resources across the cloud(s).&lt;br /&gt;
&lt;br /&gt;
=== Resource Access Across Clouds ===&lt;br /&gt;
Resource access process start by getting an “X-Auth-Token” scoped (1) to local Keystone project of &amp;quot;host&amp;quot; cloud. Keystone service at HC will talk to local Alliance to get information about remote resources associated with project (2).&lt;br /&gt;
&lt;br /&gt;
As part of token response (3) client gets a service catalog containing endpoints to the remote (federated) resources. Client uses the remote resource endpoint to access the resource (4), it provides (X-Host-Cloud-Id) host cloud identifier in request header and the X-Auth-Token{hc} got from host cloud. &lt;br /&gt;
&lt;br /&gt;
Auth middle-ware protecting the resource at partner cloud intercepts the request and makes a call (5) to Keystone for token validation. Keystone delegates (6) such the token validation request to Alliance service which is not issued by it (foreign token) and have X-Host-Cloud-Id header associated.&lt;br /&gt;
 &lt;br /&gt;
Alliance uses the cloud identifier (X-Host-Cloud-Id) from the header to lookup the paired host cloud and it's peer Alliance endpoint. Using the X-Auth-Token{hc}, it forms an InterCloud Federation Ticket and uses paired Alliance endpoint to validate user token (7). &lt;br /&gt;
&lt;br /&gt;
Alliance at HC will coordinate with local Keystone to validate the token (8).  &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (9), Alliance service provide (10) the validate response to Keystone service running at PC. Keystone will caches the token in locale system and respond to middle-ware(11). Keystone will use the cached token for future token validations.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF03.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== X-Auth-Token processing=== &lt;br /&gt;
&lt;br /&gt;
Clients won't like to deal with multiple X-Auth-Tokens to access their resources across clouds (regions). &lt;br /&gt;
&lt;br /&gt;
Following are the options to solve this issue.&lt;br /&gt;
&lt;br /&gt;
====PKI tokens====&lt;br /&gt;
PKI tokens can be used by clients to access resources across clouds. There won't be inter-cloud token validation required to validate the PKI tokens.&lt;br /&gt;
PKI token are proven to be heavy, Federated Token can be a better solution.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens====&lt;br /&gt;
Instead of generating new X-Auth-Token{pc} by partner cloud, partner cloud may choose to use the same X-Auth-Token{hc} issued by host cloud. &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (as explained above) Alliance will cache the token locally and utilize the same X-Auth-Token for future communication. This option can be set as part of cloud pairing depending of level of trust between two cloud providers. &lt;br /&gt;
&lt;br /&gt;
Note: Inter-cloud token validation is one time process or can be done multiple times over the period of communication by clients.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens by Eager Propagation====&lt;br /&gt;
To support federated tokens partner cloud has to do inter-cloud token validation and cache the validate token response to make the future token validation more efficient. Another approach to solve the performance of inter-cloud token validation is to propagate the tokens to partner cloud in push mode. Host cloud will propagate token to the relevant partner using notification route.&lt;br /&gt;
&lt;br /&gt;
=== SSO Across Cloud===&lt;br /&gt;
&lt;br /&gt;
In this mode, clients chooses to use PC's identity (Keystone) endpoint to make auth token request. Client provide credentials, project_id and cloud_id to the PC's identity service. Keystone will coordinate with Alliance service to get the token from remote cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF05.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== SSOut Across Cloud (or InterCloud Token Revocation) ===&lt;br /&gt;
&lt;br /&gt;
Token revocation in an important aspect to maintain the security and system integrity. In case of resource federation use case, tokens revocation become more important as an stale token can cause bigger harm specially to the resource provider clouds.&lt;br /&gt;
&lt;br /&gt;
Inter-cloud token revocation will allow token revocation across cloud, e.g. Host cloud  can initiate the token revocation for a token issued by itself or partner clouds can request/initiate the token revocation of a federated token.&lt;br /&gt;
&lt;br /&gt;
Alliance service is will be the interface between clouds to make the token revocation happen.&lt;br /&gt;
&lt;br /&gt;
=== Notification ===&lt;br /&gt;
Is part of InterCloud Federation Service and used to notify certain events (e.g. Meter, resource de-provisioning etc...) to and from participating clouds.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Issue and Concerns ==&lt;br /&gt;
&lt;br /&gt;
=== Homogeneous vs Heterogeneous Cloud Partners===&lt;br /&gt;
TBD&lt;br /&gt;
&lt;br /&gt;
=Impact=&lt;br /&gt;
&lt;br /&gt;
Following are the high level impact on existing OpenStack service &lt;br /&gt;
&lt;br /&gt;
* Keystone token management subsystem will be impacted to support endpoints for partner services. &lt;br /&gt;
* Keystone service REST API will make an extra call to Alliance service to get list of available remote services.&lt;br /&gt;
* Horizon will be enhanced to integrate with Inter Alliance Service.&lt;br /&gt;
* Other OS Services -  TBD&lt;br /&gt;
&lt;br /&gt;
=Note=&lt;br /&gt;
* This page is in &amp;quot;work in progress&amp;quot; mode.&lt;br /&gt;
* Please excuse any typographical error.&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=90006</id>
		<title>Inter Cloud Resource Federation</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=90006"/>
				<updated>2015-09-11T11:48:55Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=InterCloud Resource Federation ('''Alliance''')=&lt;br /&gt;
&lt;br /&gt;
==== Tiwari===''&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Cloud based services are a growing business trend in the IT industry, where service providers establish cloud and offer computing resources (Infrastructure, Platform and Software) to consumers. Consumers often require computing resources across multiple regions, to address their application needs. Single cloud provider may not be able to address such requests due to lack of presence or capacity in multiple regions.  This blueprint proposes a solution to address this concern by introducing a concept of InterCloud Resource Federation (a.k.a. Alliance). Using this technical approach multiple cloud entities can work in alliance to form a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
= Problem =&lt;br /&gt;
This blueprint is trying to address following problems&lt;br /&gt;
&lt;br /&gt;
=== Multi Region Capability ===&lt;br /&gt;
Enterprises are adopting cloud based service to address their growing computing workload and they often want resources across multiple regions. These regions sometimes span across multiple geographical boundaries. &lt;br /&gt;
&lt;br /&gt;
Single providers may not be able to address such requests as setting up huge cloud across multiple regions is a costly and risky investment. Providers often want to lease resources from other provider cross regions to fulfill customer computing workload.&lt;br /&gt;
&lt;br /&gt;
=== Virtual Private Cloud or Cloud Leasing ===&lt;br /&gt;
Vendors want to lease resources to other service providers or customers who want have VPC (Virtual Private Cloud). Unlike other service providers these vendors want to target large  consumers. &lt;br /&gt;
&lt;br /&gt;
Cloud service providers have idle computing resources which are not making revenue. Service provider wants to lease these resources to another provider who are in need of these resources.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Bursting ===&lt;br /&gt;
In private in-house cloud deployments, enterprises want to bursts into a public/separate cloud when the demand for computing capacity spikes.&lt;br /&gt;
&lt;br /&gt;
=== Joint Venture Cloud ===&lt;br /&gt;
Setting up a Cloud with massive resource capacity is time consuming and very costly venture; not everyone would like to invest in such a big venture. Business partners like to invest in  joint ventures to make a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
=== Merger and Acquisitions ===&lt;br /&gt;
Merger of business entities are common, integration/utilization of cloud enabled computing resources of two business enterprises are troublesome due to lack of technology. An enterprise expects seamless integration of two cloud entities after merger with anticipation of effective and prompt resource utilization.&lt;br /&gt;
&lt;br /&gt;
=== Expensive Architecture ===&lt;br /&gt;
Building multi region architecture to join multiple data centers using dedicated/leased lines is costly and creates tight coupling. This solution is also not a scalable solution for incremental growth.&lt;br /&gt;
&lt;br /&gt;
= Solution =&lt;br /&gt;
OpenStack provides an open source cloud computing platform which is getting huge industry adoption for building up private/public/hybrid cloud. OpenStack based cloud deployments provide Infrastructure and Platform services capabilities to cloud providers. OpenStack inherited cloud entities are ideal candidates to work in alliances to form InterCloud Federation, as their API and Resource models are identical.&lt;br /&gt;
&lt;br /&gt;
To address these problems, a new service will be added to the OpenStack services stack which will provide “InterCloud Federation” (a.k.a. '''Alliance''') services to participating cloud entities. This service will be responsible for interconnecting multiple cloud instances and provide an abstraction layer to hide interoperability and integration complexities from the provider and end users. &lt;br /&gt;
&lt;br /&gt;
Cloud providers have to enable this service on their cloud deployments and configure the required artifacts for partner or host cloud entities.&lt;br /&gt;
&lt;br /&gt;
The picture below depicts the resource consumption flow from Host cloud to Partner cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF01.jpg]]&lt;br /&gt;
&lt;br /&gt;
The picture ‘a’ (below), shows integration of multiple data centers with dedicated leased line for data replication. This architecture tightly couples the data centers and it is not cost effective. &lt;br /&gt;
&lt;br /&gt;
Picture ‘b’ portrays the interlinked cloudified data centers through Alliance service. In this model, data exchanges between the participating clouds will be happening on secured (PtoP VPN) Internet channel not on dedicated lines.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF04.jpg]]&lt;br /&gt;
&lt;br /&gt;
=Design Considerations=&lt;br /&gt;
Following are the high level design consideration and functional components of InterCloud Federation Services (a.k.a. '''Alliance'''). &lt;br /&gt;
 &lt;br /&gt;
=== Host Cloud (HC) ===&lt;br /&gt;
A cloud entity consumes resources from different cloud providers. This cloud entity plays a role of “resource consumer” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Partner Cloud (PC) ===&lt;br /&gt;
Cloud instance(s) offer its services to a Host Cloud entity. These cloud entities plays a role of “resource provider” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Pairing ===&lt;br /&gt;
The pairing process is the initial step taken by two cloud providers to work in alliance. This step is required to establish trust between two cloud instances and configure required artifacts. These artifacts include cryptographic keys, cloud identifiers, region/zone information, service availability and InterCloud federation service endpoints. Alliance service endpoints are required for service discovery and inter-cloud token validations.&lt;br /&gt;
&lt;br /&gt;
The pairing process can be done manually by two cloud providers (or it can be automated). Host cloud provider has to configure artifacts for partner cloud entities and partner has to configure artifacts for host cloud(s). Cloud pairing can be bidirectional, in this case one cloud instance will be playing as host cloud in one and partner cloud on other side.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Ticket (ICT) ===&lt;br /&gt;
This ticket is used for the purpose of inter-cloud communication (e.g. Resource discovery, user token validation across clouds). This is a PKI ticket and contains data structure to hold context information required for communication. This ticket will be encrypted using partner’s (destination) public key and signed by host’s (source) private key.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Token Validation ===&lt;br /&gt;
This service is used by two participating cloud entities to validate user token which involve signature validation and ticket decryption to get the actual X-Auth-Token.  This is a part of Alliance service.&lt;br /&gt;
&lt;br /&gt;
=== Region Discovery ===&lt;br /&gt;
This is one of the services provided by ICFS to list available regions (or availability zone). Clients use this service to know what are the available regions or zones offered by a provider. Generally these are static information stored in ICFS system.&lt;br /&gt;
&lt;br /&gt;
=== Service Discovery ===&lt;br /&gt;
This service is used to discover available services in a particular region or zone offered by a partner cloud. This will provide dynamic list of available services from particular partner region.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF02.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Remote Resource Provisioning ===&lt;br /&gt;
&lt;br /&gt;
Resource provisioning is required to allocate limited resource efficiently on the (partner cloud) resource provider cloud. Provisioning is also needed to provide sense of ownership to the end user, for cloud provider (partner/host) provisioning is required to address metering aspect.&lt;br /&gt;
&lt;br /&gt;
Alliance service is responsible for provisioning remote resources. The resource provisioning will be done on local Keystone project at hosting cloud. It also maintains provisioning information in local database. The provisioning info will be used for the purpose of token generation and validation.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF06.jpg]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
In the above picture user maintains his identity at one place (host cloud) and owns resources from remote cloud(s) on a local project. This is another benefit of resource federation, where user can use a single project in host cloud to scope all the remote resources across the cloud(s).&lt;br /&gt;
&lt;br /&gt;
=== Resource Access Across Clouds ===&lt;br /&gt;
Resource access process start by getting an “X-Auth-Token” scoped (1) to local Keystone project of &amp;quot;host&amp;quot; cloud. Keystone service at HC will talk to local Alliance to get information about remote resources associated with project (2).&lt;br /&gt;
&lt;br /&gt;
As part of token response (3) client gets a service catalog containing endpoints to the remote (federated) resources. Client uses the remote resource endpoint to access the resource (4), it provides (X-Host-Cloud-Id) host cloud identifier in request header and the X-Auth-Token{hc} got from host cloud. &lt;br /&gt;
&lt;br /&gt;
Auth middle-ware protecting the resource at partner cloud intercepts the request and makes a call (5) to Keystone for token validation. Keystone delegates (6) such the token validation request to Alliance service which is not issued by it (foreign token) and have X-Host-Cloud-Id header associated.&lt;br /&gt;
 &lt;br /&gt;
Alliance uses the cloud identifier (X-Host-Cloud-Id) from the header to lookup the paired host cloud and it's peer Alliance endpoint. Using the X-Auth-Token{hc}, it forms an InterCloud Federation Ticket and uses paired Alliance endpoint to validate user token (7). &lt;br /&gt;
&lt;br /&gt;
Alliance at HC will coordinate with local Keystone to validate the token (8).  &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (9), Alliance service provide (10) the validate response to Keystone service running at PC. Keystone will caches the token in locale system and respond to middle-ware(11). Keystone will use the cached token for future token validations.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF03.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== X-Auth-Token processing=== &lt;br /&gt;
&lt;br /&gt;
Clients won't like to deal with multiple X-Auth-Tokens to access their resources across clouds (regions). &lt;br /&gt;
&lt;br /&gt;
Following are the options to solve this issue.&lt;br /&gt;
&lt;br /&gt;
====PKI tokens====&lt;br /&gt;
PKI tokens can be used by clients to access resources across clouds. There won't be inter-cloud token validation required to validate the PKI tokens.&lt;br /&gt;
PKI token are proven to be heavy, Federated Token can be a better solution.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens====&lt;br /&gt;
Instead of generating new X-Auth-Token{pc} by partner cloud, partner cloud may choose to use the same X-Auth-Token{hc} issued by host cloud. &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (as explained above) Alliance will cache the token locally and utilize the same X-Auth-Token for future communication. This option can be set as part of cloud pairing depending of level of trust between two cloud providers. &lt;br /&gt;
&lt;br /&gt;
Note: Inter-cloud token validation is one time process or can be done multiple times over the period of communication by clients.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens by Eager Propagation====&lt;br /&gt;
To support federated tokens partner cloud has to do inter-cloud token validation and cache the validate token response to make the future token validation more efficient. Another approach to solve the performance of inter-cloud token validation is to propagate the tokens to partner cloud in push mode. Host cloud will propagate token to the relevant partner using notification route.&lt;br /&gt;
&lt;br /&gt;
=== SSO Across Cloud===&lt;br /&gt;
&lt;br /&gt;
In this mode, clients chooses to use PC's identity (Keystone) endpoint to make auth token request. Client provide credentials, project_id and cloud_id to the PC's identity service. Keystone will coordinate with Alliance service to get the token from remote cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF05.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== SSOut Across Cloud (or InterCloud Token Revocation) ===&lt;br /&gt;
&lt;br /&gt;
Token revocation in an important aspect to maintain the security and system integrity. In case of resource federation use case, tokens revocation become more important as an stale token can cause bigger harm specially to the resource provider clouds.&lt;br /&gt;
&lt;br /&gt;
Inter-cloud token revocation will allow token revocation across cloud, e.g. Host cloud  can initiate the token revocation for a token issued by itself or partner clouds can request/initiate the token revocation of a federated token.&lt;br /&gt;
&lt;br /&gt;
Alliance service is will be the interface between clouds to make the token revocation happen.&lt;br /&gt;
&lt;br /&gt;
=== Notification ===&lt;br /&gt;
Is part of InterCloud Federation Service and used to notify certain events (e.g. Meter, resource de-provisioning etc...) to and from participating clouds.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Issue and Concerns ==&lt;br /&gt;
&lt;br /&gt;
=== Homogeneous vs Heterogeneous Cloud Partners===&lt;br /&gt;
TBD&lt;br /&gt;
&lt;br /&gt;
=Impact=&lt;br /&gt;
&lt;br /&gt;
Following are the high level impact on existing OpenStack service &lt;br /&gt;
&lt;br /&gt;
* Keystone token management subsystem will be impacted to support endpoints for partner services. &lt;br /&gt;
* Keystone service REST API will make an extra call to Alliance service to get list of available remote services.&lt;br /&gt;
* Horizon will be enhanced to integrate with Inter Alliance Service.&lt;br /&gt;
* Other OS Services -  TBD&lt;br /&gt;
&lt;br /&gt;
=Note=&lt;br /&gt;
* This page is in &amp;quot;work in progress&amp;quot; mode.&lt;br /&gt;
* Please excuse any typographical error.&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Hierarchical_administrative_boundary&amp;diff=90005</id>
		<title>Hierarchical administrative boundary</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Hierarchical_administrative_boundary&amp;diff=90005"/>
				<updated>2015-09-11T11:46:38Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
===Arvind Tiwari===&lt;br /&gt;
&lt;br /&gt;
== Abstract: ==&lt;br /&gt;
&lt;br /&gt;
In large scale OpenStack based cloud deployments, cloud provider (CP) may wants to sell their services in White Label (AKA Reseller or value-added reseller) business model. This is a symbiotic relation as CP sells its services in bulk and Reseller gets appropriate discounts.&lt;br /&gt;
&lt;br /&gt;
In such business model CP setup a &amp;quot;virtual private cloud&amp;quot; (VPS) for each Resellers on its infrastructure or hosting cloud (HC). A reseller acquires special privileges to administer its customers and resources allocated on its customer's disposal.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Requirements: ==&lt;br /&gt;
&lt;br /&gt;
=== CP perspective: ===&lt;br /&gt;
&lt;br /&gt;
# Cloud provider want to have capabilities to manage multiple Resellers accounts.&lt;br /&gt;
# Ability to spin up multiple reseller accounts on demand.&lt;br /&gt;
# Ability to administer resellers accounts including their direct resources (IAM and NON-IAM).&lt;br /&gt;
# Ability to administer sub-customers (direct customer to resellers) including their resources (IAM and NON-IAM)..&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
e.g. Cloud Provider Inc. (CPI) has large scale OpenStack based deployment and sells it services in Reseller mode.&lt;br /&gt;
&lt;br /&gt;
=== Reseller perspective: ===&lt;br /&gt;
# A reseller want to have it own realm (vpc) over CP's cloud infrastructure and expect re-branding aspects.&lt;br /&gt;
# Ability to spin up multiple accounts on behalf of my customers without interventions from CP.&lt;br /&gt;
# Ability to administer my customers without interventions from CP.&lt;br /&gt;
# Ability to administer my customers resources (IAM and NON-IAM) without interventions from CP.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
e.g. Services Provider Inc. (SPI) a service provider which sells its services to multiple customers over 3rd party cloud establishments.&lt;br /&gt;
&lt;br /&gt;
== Potential Solution: ==&lt;br /&gt;
&lt;br /&gt;
Note: The scope of this proposal is low-level, and is focused on the architectural changes limited to Identity management (Keystone) system only.&lt;br /&gt;
&lt;br /&gt;
To solve these problem, We need an ability to setup hierarchical administrative boundaries within a cloud deployment, so that multiple service providers (like SPI) can be created and have administrative privileges across domains which falls under their administrative boundary. In this model CP will be the root of the hierarchical administrative boundary.&lt;br /&gt;
&lt;br /&gt;
Keystone has concept of domains which is nothing but a notion of an administrative boundary. An admin of one domain is allowed to manage resources (Computing and non computing) within a specific domain but not across domains (provided correct policy is in place). This feature is already in place so there will be no change needed.&lt;br /&gt;
&lt;br /&gt;
We can extend the notion of domain further to establish root (parent/super) and leaf (child/sub) domain relationship, one set of root and leaf domains will define a hierarchical administrative boundary. Below diagram depicts a domain hierarchy where the root represents the cloud providers (root administrative boundary) and each levels below represents different hierarchical administrative boundaries.&lt;br /&gt;
&lt;br /&gt;
[[File:Hierarchical_administrative_boundary_1.jpg]]&lt;br /&gt;
&lt;br /&gt;
Keystone provide robust role based access control (RBAC) capabilities where roles are associated with access control rules through policy. Subjects are associated with roles scoped to a domain or projects within a domains. Keystone also support a notion of inherited roles which allows roles (mostly project) to be inherited from owning domain. We need to extend the current role inheritance model so that subject's (identity in keystone) inherited roles (project and/or domain) can be propagated down in the domain hierarchy. Diagram below shows the role inheritance propagation.&lt;br /&gt;
&lt;br /&gt;
Note: Role inheritance propagation will go downwards only but not upwards or side wise.   &lt;br /&gt;
&lt;br /&gt;
[[File:Hierarchical_administrative_boundary_2.jpg]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Cloud provider (or reseller) administrator has to scope his/her security token to a particular child domain (or a project in child domain) to acquire the inherited administrative roles. Malicious and unauthorized access to external resources will be prevented by Keystone RBAC policy enforcement. Diagram below shows how cloud admin can scope token to a project in leaf domain to manage its comuting resource.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[File:Hierarchical_administrative_boundary_3.jpg]]&lt;br /&gt;
&lt;br /&gt;
== Impact: ==&lt;br /&gt;
&lt;br /&gt;
Most of the changes are scoped to Keystone only, apparently there is no change required to external (Nova, Swift, ....) services.&lt;br /&gt;
&lt;br /&gt;
* Domain model need to be extended to support notion of domain hierarchy.&lt;br /&gt;
* Role subsystem will be impacted to handle hierarchical inherited roles.&lt;br /&gt;
* Role evaluation subsystem will be impacted to handle hierarchical inherited roles.&lt;br /&gt;
* Auth middle-ware and token validation has to be enhanced.&lt;br /&gt;
* Domain API will be impacted to capture the  domain hierarchy.&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Hierarchical_administrative_boundary&amp;diff=90004</id>
		<title>Hierarchical administrative boundary</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Hierarchical_administrative_boundary&amp;diff=90004"/>
				<updated>2015-09-11T11:44:41Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Hierarchical administrative boundary'''&lt;br /&gt;
&lt;br /&gt;
Arvind Tiwari&lt;br /&gt;
&lt;br /&gt;
== Abstract: ==&lt;br /&gt;
&lt;br /&gt;
In large scale OpenStack based cloud deployments, cloud provider (CP) may wants to sell their services in White Label (AKA Reseller or value-added reseller) business model. This is a symbiotic relation as CP sells its services in bulk and Reseller gets appropriate discounts.&lt;br /&gt;
&lt;br /&gt;
In such business model CP setup a &amp;quot;virtual private cloud&amp;quot; (VPS) for each Resellers on its infrastructure or hosting cloud (HC). A reseller acquires special privileges to administer its customers and resources allocated on its customer's disposal.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Requirements: ==&lt;br /&gt;
&lt;br /&gt;
=== CP perspective: ===&lt;br /&gt;
&lt;br /&gt;
# Cloud provider want to have capabilities to manage multiple Resellers accounts.&lt;br /&gt;
# Ability to spin up multiple reseller accounts on demand.&lt;br /&gt;
# Ability to administer resellers accounts including their direct resources (IAM and NON-IAM).&lt;br /&gt;
# Ability to administer sub-customers (direct customer to resellers) including their resources (IAM and NON-IAM)..&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
e.g. Cloud Provider Inc. (CPI) has large scale OpenStack based deployment and sells it services in Reseller mode.&lt;br /&gt;
&lt;br /&gt;
=== Reseller perspective: ===&lt;br /&gt;
# A reseller want to have it own realm (vpc) over CP's cloud infrastructure and expect re-branding aspects.&lt;br /&gt;
# Ability to spin up multiple accounts on behalf of my customers without interventions from CP.&lt;br /&gt;
# Ability to administer my customers without interventions from CP.&lt;br /&gt;
# Ability to administer my customers resources (IAM and NON-IAM) without interventions from CP.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
e.g. Services Provider Inc. (SPI) a service provider which sells its services to multiple customers over 3rd party cloud establishments.&lt;br /&gt;
&lt;br /&gt;
== Potential Solution: ==&lt;br /&gt;
&lt;br /&gt;
Note: The scope of this proposal is low-level, and is focused on the architectural changes limited to Identity management (Keystone) system only.&lt;br /&gt;
&lt;br /&gt;
To solve these problem, We need an ability to setup hierarchical administrative boundaries within a cloud deployment, so that multiple service providers (like SPI) can be created and have administrative privileges across domains which falls under their administrative boundary. In this model CP will be the root of the hierarchical administrative boundary.&lt;br /&gt;
&lt;br /&gt;
Keystone has concept of domains which is nothing but a notion of an administrative boundary. An admin of one domain is allowed to manage resources (Computing and non computing) within a specific domain but not across domains (provided correct policy is in place). This feature is already in place so there will be no change needed.&lt;br /&gt;
&lt;br /&gt;
We can extend the notion of domain further to establish root (parent/super) and leaf (child/sub) domain relationship, one set of root and leaf domains will define a hierarchical administrative boundary. Below diagram depicts a domain hierarchy where the root represents the cloud providers (root administrative boundary) and each levels below represents different hierarchical administrative boundaries.&lt;br /&gt;
&lt;br /&gt;
[[File:Hierarchical_administrative_boundary_1.jpg]]&lt;br /&gt;
&lt;br /&gt;
Keystone provide robust role based access control (RBAC) capabilities where roles are associated with access control rules through policy. Subjects are associated with roles scoped to a domain or projects within a domains. Keystone also support a notion of inherited roles which allows roles (mostly project) to be inherited from owning domain. We need to extend the current role inheritance model so that subject's (identity in keystone) inherited roles (project and/or domain) can be propagated down in the domain hierarchy. Diagram below shows the role inheritance propagation.&lt;br /&gt;
&lt;br /&gt;
Note: Role inheritance propagation will go downwards only but not upwards or side wise.   &lt;br /&gt;
&lt;br /&gt;
[[File:Hierarchical_administrative_boundary_2.jpg]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Cloud provider (or reseller) administrator has to scope his/her security token to a particular child domain (or a project in child domain) to acquire the inherited administrative roles. Malicious and unauthorized access to external resources will be prevented by Keystone RBAC policy enforcement. Diagram below shows how cloud admin can scope token to a project in leaf domain to manage its comuting resource.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[File:Hierarchical_administrative_boundary_3.jpg]]&lt;br /&gt;
&lt;br /&gt;
== Impact: ==&lt;br /&gt;
&lt;br /&gt;
Most of the changes are scoped to Keystone only, apparently there is no change required to external (Nova, Swift, ....) services.&lt;br /&gt;
&lt;br /&gt;
* Domain model need to be extended to support notion of domain hierarchy.&lt;br /&gt;
* Role subsystem will be impacted to handle hierarchical inherited roles.&lt;br /&gt;
* Role evaluation subsystem will be impacted to handle hierarchical inherited roles.&lt;br /&gt;
* Auth middle-ware and token validation has to be enhanced.&lt;br /&gt;
* Domain API will be impacted to capture the  domain hierarchy.&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88331</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88331"/>
				<updated>2015-08-19T13:23:12Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Next Steps */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;TDB&amp;gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88330</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88330"/>
				<updated>2015-08-19T13:22:41Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Boot VM and setup Marshal */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by Marshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting. Key id will be stored in certain location of the new VM to be consumed by Marshal agent. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM using Customization Script Source. This KAT will be stored in VM temporary directory for consumed by Marshal. This approach need some enhancement in Barbican.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id. Marshal will pick the key info from volume meta-data while configuration.&lt;br /&gt;
&lt;br /&gt;
User will use command provided by Marshal agent to configure disk encryption. User will get ability to encrypt &lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88328</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88328"/>
				<updated>2015-08-19T13:15:12Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Boot VM and setup Marshal */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
# In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
# User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
# User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88327</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88327"/>
				<updated>2015-08-19T13:14:37Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Agent authentication to Barbican (or any KMS). */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  Access Ticket (KAT) to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88326</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88326"/>
				<updated>2015-08-19T13:14:07Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Agent authentication to Barbican (or any KMS). */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret Key  ticket to access the secret.&lt;br /&gt;
&lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88325</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88325"/>
				<updated>2015-08-19T13:12:33Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Challenges and Workarounds */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach along with possible workaround&lt;br /&gt;
=== Agent authentication to Barbican (or any KMS). ===&lt;br /&gt;
# Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
# Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
# Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
# Per secret license/grant ticket to access the secret.   &lt;br /&gt;
===Security of keys in transit===&lt;br /&gt;
# Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
===How to inject agent in the VM===&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88323</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88323"/>
				<updated>2015-08-19T12:42:46Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Challenges and Workarounds */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
# Agent authentication to Barbican (or any KMS).&lt;br /&gt;
* Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
* Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
* Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
* Per secret license/grant ticket to access the secret.   &lt;br /&gt;
# Security of keys in transit&lt;br /&gt;
Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
# Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
# How to inject agent in the VM&lt;br /&gt;
# Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
# Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88322</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88322"/>
				<updated>2015-08-19T12:41:17Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Roadmap */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
    * dm-crypt&lt;br /&gt;
    * bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88321</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88321"/>
				<updated>2015-08-19T12:35:32Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Roadmap */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
* dm-crypt&lt;br /&gt;
* bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88320</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88320"/>
				<updated>2015-08-19T12:35:11Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Roadmap */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
# Entire disk encryption with one key stored in KMS.&lt;br /&gt;
* # dm-crypt&lt;br /&gt;
* # bitlocker&lt;br /&gt;
# Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
# Multi key encryption support and rekey data in volume.&lt;br /&gt;
# Ability to fetch keys from on-prem KMS.&lt;br /&gt;
# LBaaS certificate monitoring&lt;br /&gt;
# Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88319</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88319"/>
				<updated>2015-08-19T12:33:07Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Boot VM and setup Marshal */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent, alternatively user can use an exiting VM. User will provide key information stored in Barbican to be used by MArshal agent, there are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.&lt;br /&gt;
3. User will use a encrypted volume which he/she has created before and volume meta-data will provide the key id.    &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88283</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88283"/>
				<updated>2015-08-19T02:19:23Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Boot VM and setup Marshal */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
User would choose to boot a new VM from an image which is build with Marshal agent providing key information stored in Barbican. There are multiple way to provide keys to the new VM as below&lt;br /&gt;
&lt;br /&gt;
1. In very basic user will provide the key id using Cloud-Config Scripting, key id will be stored in certain location of the new VM. &lt;br /&gt;
2. User will generate key access ticket (KAT) for particular keys and provide the KAT to the VM.   &lt;br /&gt;
&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88266</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88266"/>
				<updated>2015-08-18T22:26:46Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Volume Creation (Plain) */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Disk creation in Cinder ===&lt;br /&gt;
Disk/Volume are managed in Cinder and user will interface with Cinder through Horizon to provision virtual disks. In the flow given below, we are creating a plain disk which means encryption key will not be created in the Barbican. I an alternative flow user will opt to create encrypted disk and key will automatically created in the Barbican. &lt;br /&gt;
&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88265</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88265"/>
				<updated>2015-08-18T22:22:08Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Key provisioning in Barbican */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
Key provisioning will be done by the user by log-in in to the Horizon dashboard and create secret. User may choose to come with his own key or he/she can order one from Barbican. Once the key is created he should define certain policy on that secret to avoid illegal access. &lt;br /&gt;
 &lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Volume Creation (Plain)===&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88262</id>
		<title>File:SetDiskForEncryption.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88262"/>
				<updated>2015-08-18T20:55:50Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:SetDiskForEncryption.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88260</id>
		<title>File:SetDiskForEncryption.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88260"/>
				<updated>2015-08-18T20:50:01Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:SetDiskForEncryption.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:CreateCinderDisk.jpg&amp;diff=88259</id>
		<title>File:CreateCinderDisk.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:CreateCinderDisk.jpg&amp;diff=88259"/>
				<updated>2015-08-18T20:49:03Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:CreateCinderDisk.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88258</id>
		<title>File:KeyProvisioningInBarbican.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88258"/>
				<updated>2015-08-18T20:48:36Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:KeyProvisioningInBarbican.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88257</id>
		<title>File:KeyProvisioningInBarbican.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88257"/>
				<updated>2015-08-18T20:45:58Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:KeyProvisioningInBarbican.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88256</id>
		<title>File:SetDiskForEncryption.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88256"/>
				<updated>2015-08-18T20:41:48Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:SetDiskForEncryption.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:CreateCinderDisk.jpg&amp;diff=88255</id>
		<title>File:CreateCinderDisk.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:CreateCinderDisk.jpg&amp;diff=88255"/>
				<updated>2015-08-18T20:41:25Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:CreateCinderDisk.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88254</id>
		<title>File:KeyProvisioningInBarbican.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88254"/>
				<updated>2015-08-18T20:40:26Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Atiwari uploaded a new version of File:KeyProvisioningInBarbican.jpg&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88253</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88253"/>
				<updated>2015-08-18T20:34:27Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Boot VM and setup Marshal */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Volume Creation (Plain)===&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
[[File:SetDiskForEncryption.jpg]]&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88252</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88252"/>
				<updated>2015-08-18T20:34:10Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Volume Creation (Plain) */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Volume Creation (Plain)===&lt;br /&gt;
[[File:CreateCinderDisk.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88251</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88251"/>
				<updated>2015-08-18T20:33:55Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Key provisioning in Barbican */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
[[File:KeyProvisioningInBarbican.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Volume Creation (Plain)===&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88250</id>
		<title>File:SetDiskForEncryption.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:SetDiskForEncryption.jpg&amp;diff=88250"/>
				<updated>2015-08-18T20:32:06Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:CreateCinderDisk.jpg&amp;diff=88249</id>
		<title>File:CreateCinderDisk.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:CreateCinderDisk.jpg&amp;diff=88249"/>
				<updated>2015-08-18T20:31:28Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88248</id>
		<title>File:KeyProvisioningInBarbican.jpg</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=File:KeyProvisioningInBarbican.jpg&amp;diff=88248"/>
				<updated>2015-08-18T20:26:06Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88247</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88247"/>
				<updated>2015-08-18T20:24:57Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Key provisioning in Barbican */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
=== Volume Creation (Plain)===&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88246</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88246"/>
				<updated>2015-08-18T20:02:05Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&amp;lt;gallery&amp;gt;&lt;br /&gt;
Example.jpg|Caption1&lt;br /&gt;
Example.jpg|Caption2&lt;br /&gt;
&amp;lt;/gallery&amp;gt;&lt;br /&gt;
=== Volume Creation (Plain)===&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88245</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88245"/>
				<updated>2015-08-18T19:58:44Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Activity Diagrams */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
=== Key provisioning in Barbican ===&lt;br /&gt;
&lt;br /&gt;
=== Volume Creation (Plain)===&lt;br /&gt;
&lt;br /&gt;
=== Boot VM and setup Marshal===&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88244</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88244"/>
				<updated>2015-08-18T19:54:29Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;==Introduction==&lt;br /&gt;
Over the period of last 5 years OpenStack community has provided support for core cloud (e. g. Nova, Glance, Cinder, Neutron, Keystone, Barbican etc …) services which are  mandatory for any infrastructure cloud. It has also provided supporting services (Heat, Horizon, Ceilometer, Monasca), which helps cloud providers and consumers to interact and manage cloud resources. Volume encryption is one of the areas, which still needs more attentions, as the current model has some gaps. Project Marshal is new initiative in community, which support and streamline volume encryption use cases and provide data security a rest.  &lt;br /&gt;
&lt;br /&gt;
==What is Marshal? ==&lt;br /&gt;
OpenStack Barbican has gone through long ways from key storage to key manager. We have implemented many cool features in it and some are in pipeline, but still it is not well integrated to support volume encryption use cases, which is one of the basic needs. In the current flow of volume encryption, user chooses to create an encrypted volume using cinder API, an encryption key will be created in Barbican. Key reference will be stored in Cinder with disk metadata. Key will be retrieved by Nova from the Barbican and provided to dm-crypt while attaching the disk to VM, all I/O to the disk will be encrypted.&lt;br /&gt;
&lt;br /&gt;
There are some gaps in the current flow, e.g. it is not very transparent to the end users, only one key can be used at a time and there is no way users can change the encryption keys. This flow is also very tightly integrated with OpenStack components but there are cases where users want to use their existing KMS. The current volume encryption implementation focus mostly on Linux based VM but not support for Windows VM. On-premise KMS integration is another use case, which is not, yet solves.&lt;br /&gt;
&lt;br /&gt;
Marshal is a new service (or tool) in community to fill the above-mentioned gaps; it solves the volume encryption problem with different approach. Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption key from KMS (Barbican). This agent will be interfacing with disk encryption subsystem of underlying operating system to encrypt/decrypt the disk I/O.&lt;br /&gt;
&lt;br /&gt;
In case of Linux based virtual machines this agent will be interfacing with dm-crypt and for Microsoft it will be interfacing with Bit-locker. The agent provides abstraction service and can be integrated with other encryption subsystem if needed. This agent reads key from KMS and create a temp file volatile memory, it forgets the key immediately after providing to disk encryption subsystem.&lt;br /&gt;
&lt;br /&gt;
==Activity Diagrams==&lt;br /&gt;
&lt;br /&gt;
1.	Key provisioning in Barbican&lt;br /&gt;
2.	Volume Creation (Plain)&lt;br /&gt;
3.	Boot VM and setup Marshal&lt;br /&gt;
&lt;br /&gt;
==Benefits==&lt;br /&gt;
&lt;br /&gt;
Current OpenStack volume encryption is very static in nature, only one key can be used and it won't be changed. Marshal agent can able to change the encryption keys and re-key the data. Marshal agent will provide ability to choose the keys from KMS system to be used for disk encryption. &lt;br /&gt;
OpenStack volume encryption flow is very rigidly defined, where Cinder creates key in KMS and Nova provide that key to the VM encryption subsystem. This process is mostly abstracted from users.&lt;br /&gt;
This agent will help older OpenStack deployment to integrate with Barbican (or any KMS) system to consume keys and use them for the disk encryption.&lt;br /&gt;
This agent provides abstraction and can be integrate with customer's on-prem KMS systems. It can also be integrated with HSM devises directly using Castellan, KMIP or PKCS11 interface.&lt;br /&gt;
Marshal agent will provide more flexibility to the end users by providing fine-grained control. Marshal will allow features like full disk encryption, root disk encrypt and different partitions of the disk, which is not covered in current flow.&lt;br /&gt;
&lt;br /&gt;
==Roadmap==&lt;br /&gt;
1.	Entire disk encryption with one key stored in KMS.&lt;br /&gt;
1.	dm-crypt&lt;br /&gt;
2.	bitlocker&lt;br /&gt;
2.	Fine grained (root disk, individual partition) encryption support with one key.&lt;br /&gt;
3.	Multi key encryption support and rekey data in volume.&lt;br /&gt;
4.	Ability to fetch keys from on-prem KMS.&lt;br /&gt;
5.	LBaaS certificate monitoring&lt;br /&gt;
6.	Provisioning certificate from CA and installation.&lt;br /&gt;
&lt;br /&gt;
==Challenges and Workarounds==&lt;br /&gt;
Following are the challenges we are seeing in this approach &lt;br /&gt;
1.	Agent authentication to Barbican (or any KMS).&lt;br /&gt;
1.	Use of certificate based auth from Keystone, which is on the way for Liberty. Agent will be assigned a certificate in this mode.&lt;br /&gt;
2.	Use of trust (Keystone concept) to authenticate, trust will be provided to agent.&lt;br /&gt;
3.	Use per secret policy, which is in Barbican roadmap.&lt;br /&gt;
4.	Per secret license/grant ticket to access the secret.   &lt;br /&gt;
2.	Security of keys in transit&lt;br /&gt;
1.	Agent will be talking to Barbican on secured and trusted network over SSL.&lt;br /&gt;
2.	Transport keys can be used to securely fetch key from KMS. Specially when collecting keys from on-prem KMS.&lt;br /&gt;
3.	How to inject agent in the VM&lt;br /&gt;
1.	Create image (Linux/Win) with the Marshal agent.&lt;br /&gt;
2.	Provide deb/zip package&lt;br /&gt;
&lt;br /&gt;
==Next Steps==&lt;br /&gt;
&lt;br /&gt;
TDB&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88243</id>
		<title>Marshal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Marshal&amp;diff=88243"/>
				<updated>2015-08-18T19:49:13Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: Created page with &amp;quot;=Marshal=   Introduction == Heading text ==&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=Marshal=&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Introduction&lt;br /&gt;
== Heading text ==&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=80560</id>
		<title>Inter Cloud Resource Federation</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=80560"/>
				<updated>2015-05-06T23:00:38Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* InterCloud Resource Federation (Alliance) */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=InterCloud Resource Federation ('''Alliance''')=&lt;br /&gt;
&lt;br /&gt;
'''Arvind Tiwari'''&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Cloud based services are a growing business trend in the IT industry, where service providers establish cloud and offer computing resources (Infrastructure, Platform and Software) to consumers. Consumers often require computing resources across multiple regions, to address their application needs. Single cloud provider may not be able to address such requests due to lack of presence or capacity in multiple regions.  This blueprint proposes a solution to address this concern by introducing a concept of InterCloud Resource Federation (a.k.a. Alliance). Using this technical approach multiple cloud entities can work in alliance to form a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
= Problem =&lt;br /&gt;
This blueprint is trying to address following problems&lt;br /&gt;
&lt;br /&gt;
=== Multi Region Capability ===&lt;br /&gt;
Enterprises are adopting cloud based service to address their growing computing workload and they often want resources across multiple regions. These regions sometimes span across multiple geographical boundaries. &lt;br /&gt;
&lt;br /&gt;
Single providers may not be able to address such requests as setting up huge cloud across multiple regions is a costly and risky investment. Providers often want to lease resources from other provider cross regions to fulfill customer computing workload.&lt;br /&gt;
&lt;br /&gt;
=== Virtual Private Cloud or Cloud Leasing ===&lt;br /&gt;
Vendors want to lease resources to other service providers or customers who want have VPC (Virtual Private Cloud). Unlike other service providers these vendors want to target large  consumers. &lt;br /&gt;
&lt;br /&gt;
Cloud service providers have idle computing resources which are not making revenue. Service provider wants to lease these resources to another provider who are in need of these resources.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Bursting ===&lt;br /&gt;
In private in-house cloud deployments, enterprises want to bursts into a public/separate cloud when the demand for computing capacity spikes.&lt;br /&gt;
&lt;br /&gt;
=== Joint Venture Cloud ===&lt;br /&gt;
Setting up a Cloud with massive resource capacity is time consuming and very costly venture; not everyone would like to invest in such a big venture. Business partners like to invest in  joint ventures to make a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
=== Merger and Acquisitions ===&lt;br /&gt;
Merger of business entities are common, integration/utilization of cloud enabled computing resources of two business enterprises are troublesome due to lack of technology. An enterprise expects seamless integration of two cloud entities after merger with anticipation of effective and prompt resource utilization.&lt;br /&gt;
&lt;br /&gt;
=== Expensive Architecture ===&lt;br /&gt;
Building multi region architecture to join multiple data centers using dedicated/leased lines is costly and creates tight coupling. This solution is also not a scalable solution for incremental growth.&lt;br /&gt;
&lt;br /&gt;
= Solution =&lt;br /&gt;
OpenStack provides an open source cloud computing platform which is getting huge industry adoption for building up private/public/hybrid cloud. OpenStack based cloud deployments provide Infrastructure and Platform services capabilities to cloud providers. OpenStack inherited cloud entities are ideal candidates to work in alliances to form InterCloud Federation, as their API and Resource models are identical.&lt;br /&gt;
&lt;br /&gt;
To address these problems, a new service will be added to the OpenStack services stack which will provide “InterCloud Federation” (a.k.a. '''Alliance''') services to participating cloud entities. This service will be responsible for interconnecting multiple cloud instances and provide an abstraction layer to hide interoperability and integration complexities from the provider and end users. &lt;br /&gt;
&lt;br /&gt;
Cloud providers have to enable this service on their cloud deployments and configure the required artifacts for partner or host cloud entities.&lt;br /&gt;
&lt;br /&gt;
The picture below depicts the resource consumption flow from Host cloud to Partner cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF01.jpg]]&lt;br /&gt;
&lt;br /&gt;
The picture ‘a’ (below), shows integration of multiple data centers with dedicated leased line for data replication. This architecture tightly couples the data centers and it is not cost effective. &lt;br /&gt;
&lt;br /&gt;
Picture ‘b’ portrays the interlinked cloudified data centers through Alliance service. In this model, data exchanges between the participating clouds will be happening on secured (PtoP VPN) Internet channel not on dedicated lines.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF04.jpg]]&lt;br /&gt;
&lt;br /&gt;
=Design Considerations=&lt;br /&gt;
Following are the high level design consideration and functional components of InterCloud Federation Services (a.k.a. '''Alliance'''). &lt;br /&gt;
 &lt;br /&gt;
=== Host Cloud (HC) ===&lt;br /&gt;
A cloud entity consumes resources from different cloud providers. This cloud entity plays a role of “resource consumer” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Partner Cloud (PC) ===&lt;br /&gt;
Cloud instance(s) offer its services to a Host Cloud entity. These cloud entities plays a role of “resource provider” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Pairing ===&lt;br /&gt;
The pairing process is the initial step taken by two cloud providers to work in alliance. This step is required to establish trust between two cloud instances and configure required artifacts. These artifacts include cryptographic keys, cloud identifiers, region/zone information, service availability and InterCloud federation service endpoints. Alliance service endpoints are required for service discovery and inter-cloud token validations.&lt;br /&gt;
&lt;br /&gt;
The pairing process can be done manually by two cloud providers (or it can be automated). Host cloud provider has to configure artifacts for partner cloud entities and partner has to configure artifacts for host cloud(s). Cloud pairing can be bidirectional, in this case one cloud instance will be playing as host cloud in one and partner cloud on other side.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Ticket (ICT) ===&lt;br /&gt;
This ticket is used for the purpose of inter-cloud communication (e.g. Resource discovery, user token validation across clouds). This is a PKI ticket and contains data structure to hold context information required for communication. This ticket will be encrypted using partner’s (destination) public key and signed by host’s (source) private key.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Token Validation ===&lt;br /&gt;
This service is used by two participating cloud entities to validate user token which involve signature validation and ticket decryption to get the actual X-Auth-Token.  This is a part of Alliance service.&lt;br /&gt;
&lt;br /&gt;
=== Region Discovery ===&lt;br /&gt;
This is one of the services provided by ICFS to list available regions (or availability zone). Clients use this service to know what are the available regions or zones offered by a provider. Generally these are static information stored in ICFS system.&lt;br /&gt;
&lt;br /&gt;
=== Service Discovery ===&lt;br /&gt;
This service is used to discover available services in a particular region or zone offered by a partner cloud. This will provide dynamic list of available services from particular partner region.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF02.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Remote Resource Provisioning ===&lt;br /&gt;
&lt;br /&gt;
Resource provisioning is required to allocate limited resource efficiently on the (partner cloud) resource provider cloud. Provisioning is also needed to provide sense of ownership to the end user, for cloud provider (partner/host) provisioning is required to address metering aspect.&lt;br /&gt;
&lt;br /&gt;
Alliance service is responsible for provisioning remote resources. The resource provisioning will be done on local Keystone project at hosting cloud. It also maintains provisioning information in local database. The provisioning info will be used for the purpose of token generation and validation.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF06.jpg]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
In the above picture user maintains his identity at one place (host cloud) and owns resources from remote cloud(s) on a local project. This is another benefit of resource federation, where user can use a single project in host cloud to scope all the remote resources across the cloud(s).&lt;br /&gt;
&lt;br /&gt;
=== Resource Access Across Clouds ===&lt;br /&gt;
Resource access process start by getting an “X-Auth-Token” scoped (1) to local Keystone project of &amp;quot;host&amp;quot; cloud. Keystone service at HC will talk to local Alliance to get information about remote resources associated with project (2).&lt;br /&gt;
&lt;br /&gt;
As part of token response (3) client gets a service catalog containing endpoints to the remote (federated) resources. Client uses the remote resource endpoint to access the resource (4), it provides (X-Host-Cloud-Id) host cloud identifier in request header and the X-Auth-Token{hc} got from host cloud. &lt;br /&gt;
&lt;br /&gt;
Auth middle-ware protecting the resource at partner cloud intercepts the request and makes a call (5) to Keystone for token validation. Keystone delegates (6) such the token validation request to Alliance service which is not issued by it (foreign token) and have X-Host-Cloud-Id header associated.&lt;br /&gt;
 &lt;br /&gt;
Alliance uses the cloud identifier (X-Host-Cloud-Id) from the header to lookup the paired host cloud and it's peer Alliance endpoint. Using the X-Auth-Token{hc}, it forms an InterCloud Federation Ticket and uses paired Alliance endpoint to validate user token (7). &lt;br /&gt;
&lt;br /&gt;
Alliance at HC will coordinate with local Keystone to validate the token (8).  &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (9), Alliance service provide (10) the validate response to Keystone service running at PC. Keystone will caches the token in locale system and respond to middle-ware(11). Keystone will use the cached token for future token validations.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF03.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== X-Auth-Token processing=== &lt;br /&gt;
&lt;br /&gt;
Clients won't like to deal with multiple X-Auth-Tokens to access their resources across clouds (regions). &lt;br /&gt;
&lt;br /&gt;
Following are the options to solve this issue.&lt;br /&gt;
&lt;br /&gt;
====PKI tokens====&lt;br /&gt;
PKI tokens can be used by clients to access resources across clouds. There won't be inter-cloud token validation required to validate the PKI tokens.&lt;br /&gt;
PKI token are proven to be heavy, Federated Token can be a better solution.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens====&lt;br /&gt;
Instead of generating new X-Auth-Token{pc} by partner cloud, partner cloud may choose to use the same X-Auth-Token{hc} issued by host cloud. &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (as explained above) Alliance will cache the token locally and utilize the same X-Auth-Token for future communication. This option can be set as part of cloud pairing depending of level of trust between two cloud providers. &lt;br /&gt;
&lt;br /&gt;
Note: Inter-cloud token validation is one time process or can be done multiple times over the period of communication by clients.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens by Eager Propagation====&lt;br /&gt;
To support federated tokens partner cloud has to do inter-cloud token validation and cache the validate token response to make the future token validation more efficient. Another approach to solve the performance of inter-cloud token validation is to propagate the tokens to partner cloud in push mode. Host cloud will propagate token to the relevant partner using notification route.&lt;br /&gt;
&lt;br /&gt;
=== SSO Across Cloud===&lt;br /&gt;
&lt;br /&gt;
In this mode, clients chooses to use PC's identity (Keystone) endpoint to make auth token request. Client provide credentials, project_id and cloud_id to the PC's identity service. Keystone will coordinate with Alliance service to get the token from remote cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF05.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== SSOut Across Cloud (or InterCloud Token Revocation) ===&lt;br /&gt;
&lt;br /&gt;
Token revocation in an important aspect to maintain the security and system integrity. In case of resource federation use case, tokens revocation become more important as an stale token can cause bigger harm specially to the resource provider clouds.&lt;br /&gt;
&lt;br /&gt;
Inter-cloud token revocation will allow token revocation across cloud, e.g. Host cloud  can initiate the token revocation for a token issued by itself or partner clouds can request/initiate the token revocation of a federated token.&lt;br /&gt;
&lt;br /&gt;
Alliance service is will be the interface between clouds to make the token revocation happen.&lt;br /&gt;
&lt;br /&gt;
=== Notification ===&lt;br /&gt;
Is part of InterCloud Federation Service and used to notify certain events (e.g. Meter, resource de-provisioning etc...) to and from participating clouds.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Issue and Concerns ==&lt;br /&gt;
&lt;br /&gt;
=== Homogeneous vs Heterogeneous Cloud Partners===&lt;br /&gt;
TBD&lt;br /&gt;
&lt;br /&gt;
=Impact=&lt;br /&gt;
&lt;br /&gt;
Following are the high level impact on existing OpenStack service &lt;br /&gt;
&lt;br /&gt;
* Keystone token management subsystem will be impacted to support endpoints for partner services. &lt;br /&gt;
* Keystone service REST API will make an extra call to Alliance service to get list of available remote services.&lt;br /&gt;
* Horizon will be enhanced to integrate with Inter Alliance Service.&lt;br /&gt;
* Other OS Services -  TBD&lt;br /&gt;
&lt;br /&gt;
=Note=&lt;br /&gt;
* This page is in &amp;quot;work in progress&amp;quot; mode.&lt;br /&gt;
* Please excuse any typographical error.&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=73724</id>
		<title>Inter Cloud Resource Federation</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Inter_Cloud_Resource_Federation&amp;diff=73724"/>
				<updated>2015-02-16T17:17:28Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* InterCloud Resource Federation (Alliance) */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=InterCloud Resource Federation ('''Alliance''')=&lt;br /&gt;
&lt;br /&gt;
'''Arvind Tiwari (Cisco)'''&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Cloud based services are a growing business trend in the IT industry, where service providers establish cloud and offer computing resources (Infrastructure, Platform and Software) to consumers. Consumers often require computing resources across multiple regions, to address their application needs. Single cloud provider may not be able to address such requests due to lack of presence or capacity in multiple regions.  This blueprint proposes a solution to address this concern by introducing a concept of InterCloud Resource Federation (a.k.a. Alliance). Using this technical approach multiple cloud entities can work in alliance to form a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
= Problem =&lt;br /&gt;
This blueprint is trying to address following problems&lt;br /&gt;
&lt;br /&gt;
=== Multi Region Capability ===&lt;br /&gt;
Enterprises are adopting cloud based service to address their growing computing workload and they often want resources across multiple regions. These regions sometimes span across multiple geographical boundaries. &lt;br /&gt;
&lt;br /&gt;
Single providers may not be able to address such requests as setting up huge cloud across multiple regions is a costly and risky investment. Providers often want to lease resources from other provider cross regions to fulfill customer computing workload.&lt;br /&gt;
&lt;br /&gt;
=== Virtual Private Cloud or Cloud Leasing ===&lt;br /&gt;
Vendors want to lease resources to other service providers or customers who want have VPC (Virtual Private Cloud). Unlike other service providers these vendors want to target large  consumers. &lt;br /&gt;
&lt;br /&gt;
Cloud service providers have idle computing resources which are not making revenue. Service provider wants to lease these resources to another provider who are in need of these resources.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Bursting ===&lt;br /&gt;
In private in-house cloud deployments, enterprises want to bursts into a public/separate cloud when the demand for computing capacity spikes.&lt;br /&gt;
&lt;br /&gt;
=== Joint Venture Cloud ===&lt;br /&gt;
Setting up a Cloud with massive resource capacity is time consuming and very costly venture; not everyone would like to invest in such a big venture. Business partners like to invest in  joint ventures to make a bigger cloud entity with massive resource capacities.&lt;br /&gt;
&lt;br /&gt;
=== Merger and Acquisitions ===&lt;br /&gt;
Merger of business entities are common, integration/utilization of cloud enabled computing resources of two business enterprises are troublesome due to lack of technology. An enterprise expects seamless integration of two cloud entities after merger with anticipation of effective and prompt resource utilization.&lt;br /&gt;
&lt;br /&gt;
=== Expensive Architecture ===&lt;br /&gt;
Building multi region architecture to join multiple data centers using dedicated/leased lines is costly and creates tight coupling. This solution is also not a scalable solution for incremental growth.&lt;br /&gt;
&lt;br /&gt;
= Solution =&lt;br /&gt;
OpenStack provides an open source cloud computing platform which is getting huge industry adoption for building up private/public/hybrid cloud. OpenStack based cloud deployments provide Infrastructure and Platform services capabilities to cloud providers. OpenStack inherited cloud entities are ideal candidates to work in alliances to form InterCloud Federation, as their API and Resource models are identical.&lt;br /&gt;
&lt;br /&gt;
To address these problems, a new service will be added to the OpenStack services stack which will provide “InterCloud Federation” (a.k.a. '''Alliance''') services to participating cloud entities. This service will be responsible for interconnecting multiple cloud instances and provide an abstraction layer to hide interoperability and integration complexities from the provider and end users. &lt;br /&gt;
&lt;br /&gt;
Cloud providers have to enable this service on their cloud deployments and configure the required artifacts for partner or host cloud entities.&lt;br /&gt;
&lt;br /&gt;
The picture below depicts the resource consumption flow from Host cloud to Partner cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF01.jpg]]&lt;br /&gt;
&lt;br /&gt;
The picture ‘a’ (below), shows integration of multiple data centers with dedicated leased line for data replication. This architecture tightly couples the data centers and it is not cost effective. &lt;br /&gt;
&lt;br /&gt;
Picture ‘b’ portrays the interlinked cloudified data centers through Alliance service. In this model, data exchanges between the participating clouds will be happening on secured (PtoP VPN) Internet channel not on dedicated lines.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF04.jpg]]&lt;br /&gt;
&lt;br /&gt;
=Design Considerations=&lt;br /&gt;
Following are the high level design consideration and functional components of InterCloud Federation Services (a.k.a. '''Alliance'''). &lt;br /&gt;
 &lt;br /&gt;
=== Host Cloud (HC) ===&lt;br /&gt;
A cloud entity consumes resources from different cloud providers. This cloud entity plays a role of “resource consumer” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Partner Cloud (PC) ===&lt;br /&gt;
Cloud instance(s) offer its services to a Host Cloud entity. These cloud entities plays a role of “resource provider” in cloud federation business.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Pairing ===&lt;br /&gt;
The pairing process is the initial step taken by two cloud providers to work in alliance. This step is required to establish trust between two cloud instances and configure required artifacts. These artifacts include cryptographic keys, cloud identifiers, region/zone information, service availability and InterCloud federation service endpoints. Alliance service endpoints are required for service discovery and inter-cloud token validations.&lt;br /&gt;
&lt;br /&gt;
The pairing process can be done manually by two cloud providers (or it can be automated). Host cloud provider has to configure artifacts for partner cloud entities and partner has to configure artifacts for host cloud(s). Cloud pairing can be bidirectional, in this case one cloud instance will be playing as host cloud in one and partner cloud on other side.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Ticket (ICT) ===&lt;br /&gt;
This ticket is used for the purpose of inter-cloud communication (e.g. Resource discovery, user token validation across clouds). This is a PKI ticket and contains data structure to hold context information required for communication. This ticket will be encrypted using partner’s (destination) public key and signed by host’s (source) private key.&lt;br /&gt;
&lt;br /&gt;
=== InterCloud Token Validation ===&lt;br /&gt;
This service is used by two participating cloud entities to validate user token which involve signature validation and ticket decryption to get the actual X-Auth-Token.  This is a part of Alliance service.&lt;br /&gt;
&lt;br /&gt;
=== Region Discovery ===&lt;br /&gt;
This is one of the services provided by ICFS to list available regions (or availability zone). Clients use this service to know what are the available regions or zones offered by a provider. Generally these are static information stored in ICFS system.&lt;br /&gt;
&lt;br /&gt;
=== Service Discovery ===&lt;br /&gt;
This service is used to discover available services in a particular region or zone offered by a partner cloud. This will provide dynamic list of available services from particular partner region.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF02.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== Remote Resource Provisioning ===&lt;br /&gt;
&lt;br /&gt;
Resource provisioning is required to allocate limited resource efficiently on the (partner cloud) resource provider cloud. Provisioning is also needed to provide sense of ownership to the end user, for cloud provider (partner/host) provisioning is required to address metering aspect.&lt;br /&gt;
&lt;br /&gt;
Alliance service is responsible for provisioning remote resources. The resource provisioning will be done on local Keystone project at hosting cloud. It also maintains provisioning information in local database. The provisioning info will be used for the purpose of token generation and validation.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF06.jpg]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
In the above picture user maintains his identity at one place (host cloud) and owns resources from remote cloud(s) on a local project. This is another benefit of resource federation, where user can use a single project in host cloud to scope all the remote resources across the cloud(s).&lt;br /&gt;
&lt;br /&gt;
=== Resource Access Across Clouds ===&lt;br /&gt;
Resource access process start by getting an “X-Auth-Token” scoped (1) to local Keystone project of &amp;quot;host&amp;quot; cloud. Keystone service at HC will talk to local Alliance to get information about remote resources associated with project (2).&lt;br /&gt;
&lt;br /&gt;
As part of token response (3) client gets a service catalog containing endpoints to the remote (federated) resources. Client uses the remote resource endpoint to access the resource (4), it provides (X-Host-Cloud-Id) host cloud identifier in request header and the X-Auth-Token{hc} got from host cloud. &lt;br /&gt;
&lt;br /&gt;
Auth middle-ware protecting the resource at partner cloud intercepts the request and makes a call (5) to Keystone for token validation. Keystone delegates (6) such the token validation request to Alliance service which is not issued by it (foreign token) and have X-Host-Cloud-Id header associated.&lt;br /&gt;
 &lt;br /&gt;
Alliance uses the cloud identifier (X-Host-Cloud-Id) from the header to lookup the paired host cloud and it's peer Alliance endpoint. Using the X-Auth-Token{hc}, it forms an InterCloud Federation Ticket and uses paired Alliance endpoint to validate user token (7). &lt;br /&gt;
&lt;br /&gt;
Alliance at HC will coordinate with local Keystone to validate the token (8).  &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (9), Alliance service provide (10) the validate response to Keystone service running at PC. Keystone will caches the token in locale system and respond to middle-ware(11). Keystone will use the cached token for future token validations.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF03.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== X-Auth-Token processing=== &lt;br /&gt;
&lt;br /&gt;
Clients won't like to deal with multiple X-Auth-Tokens to access their resources across clouds (regions). &lt;br /&gt;
&lt;br /&gt;
Following are the options to solve this issue.&lt;br /&gt;
&lt;br /&gt;
====PKI tokens====&lt;br /&gt;
PKI tokens can be used by clients to access resources across clouds. There won't be inter-cloud token validation required to validate the PKI tokens.&lt;br /&gt;
PKI token are proven to be heavy, Federated Token can be a better solution.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens====&lt;br /&gt;
Instead of generating new X-Auth-Token{pc} by partner cloud, partner cloud may choose to use the same X-Auth-Token{hc} issued by host cloud. &lt;br /&gt;
&lt;br /&gt;
After successful inter-cloud token validation (as explained above) Alliance will cache the token locally and utilize the same X-Auth-Token for future communication. This option can be set as part of cloud pairing depending of level of trust between two cloud providers. &lt;br /&gt;
&lt;br /&gt;
Note: Inter-cloud token validation is one time process or can be done multiple times over the period of communication by clients.&lt;br /&gt;
&lt;br /&gt;
====Federated Tokens by Eager Propagation====&lt;br /&gt;
To support federated tokens partner cloud has to do inter-cloud token validation and cache the validate token response to make the future token validation more efficient. Another approach to solve the performance of inter-cloud token validation is to propagate the tokens to partner cloud in push mode. Host cloud will propagate token to the relevant partner using notification route.&lt;br /&gt;
&lt;br /&gt;
=== SSO Across Cloud===&lt;br /&gt;
&lt;br /&gt;
In this mode, clients chooses to use PC's identity (Keystone) endpoint to make auth token request. Client provide credentials, project_id and cloud_id to the PC's identity service. Keystone will coordinate with Alliance service to get the token from remote cloud.&lt;br /&gt;
&lt;br /&gt;
[[File:ICRF05.jpg]]&lt;br /&gt;
&lt;br /&gt;
=== SSOut Across Cloud (or InterCloud Token Revocation) ===&lt;br /&gt;
&lt;br /&gt;
Token revocation in an important aspect to maintain the security and system integrity. In case of resource federation use case, tokens revocation become more important as an stale token can cause bigger harm specially to the resource provider clouds.&lt;br /&gt;
&lt;br /&gt;
Inter-cloud token revocation will allow token revocation across cloud, e.g. Host cloud  can initiate the token revocation for a token issued by itself or partner clouds can request/initiate the token revocation of a federated token.&lt;br /&gt;
&lt;br /&gt;
Alliance service is will be the interface between clouds to make the token revocation happen.&lt;br /&gt;
&lt;br /&gt;
=== Notification ===&lt;br /&gt;
Is part of InterCloud Federation Service and used to notify certain events (e.g. Meter, resource de-provisioning etc...) to and from participating clouds.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Issue and Concerns ==&lt;br /&gt;
&lt;br /&gt;
=== Homogeneous vs Heterogeneous Cloud Partners===&lt;br /&gt;
TBD&lt;br /&gt;
&lt;br /&gt;
=Impact=&lt;br /&gt;
&lt;br /&gt;
Following are the high level impact on existing OpenStack service &lt;br /&gt;
&lt;br /&gt;
* Keystone token management subsystem will be impacted to support endpoints for partner services. &lt;br /&gt;
* Keystone service REST API will make an extra call to Alliance service to get list of available remote services.&lt;br /&gt;
* Horizon will be enhanced to integrate with Inter Alliance Service.&lt;br /&gt;
* Other OS Services -  TBD&lt;br /&gt;
&lt;br /&gt;
=Note=&lt;br /&gt;
* This page is in &amp;quot;work in progress&amp;quot; mode.&lt;br /&gt;
* Please excuse any typographical error.&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Meetings/Barbican&amp;diff=62617</id>
		<title>Meetings/Barbican</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Meetings/Barbican&amp;diff=62617"/>
				<updated>2014-09-15T19:36:37Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Agenda */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
= Weekly Barbican Meeting =&lt;br /&gt;
&lt;br /&gt;
The [https://github.com/cloudkeep/barbican Barbican] project team holds a weekly team meeting in &amp;lt;code&amp;gt;&amp;lt;nowiki&amp;gt;#openstack-meeting-alt&amp;lt;/nowiki&amp;gt;&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
* Weekly on Mondays at [http://www.timeanddate.com/worldclock/fixedtime.html?iso=20130502T2000 2000 UTC]&lt;br /&gt;
* The blueprints that are used as a basis for the [https://launchpad.net/barbican Barbican project] can be found at https://blueprints.launchpad.net/barbican&lt;br /&gt;
* Notes for previous meetings can be found [http://eavesdrop.openstack.org/meetings/barbican here].&lt;br /&gt;
* Chair (to contact for more information): jraim (#openstack-barbican @ Freenode)&lt;br /&gt;
&lt;br /&gt;
== Agenda ==&lt;br /&gt;
* Sep 15, 2014&lt;br /&gt;
** jenkins.cloudkeep.io&lt;br /&gt;
** Metadata Storage: https://etherpad.openstack.org/p/barbican_metadata&lt;br /&gt;
** API Stability &lt;br /&gt;
** Documentation sync up with new API&lt;br /&gt;
** [https://etherpad.openstack.org/p/barbican-juno-final-roadmap Juno roadmap addition]: Refactor Barbican python client to use new Keystone auth components&lt;br /&gt;
** Various additions made to the [https://etherpad.openstack.org/p/barbican-kilo-design-sessions Kilo design etherpad].&lt;br /&gt;
** Need someone to look at https://review.openstack.org/#/c/118697/ comment from Nathan. Based on vote I made this change.&lt;br /&gt;
&lt;br /&gt;
* Sep 8, 2014&lt;br /&gt;
** Kilo Design Sessions&lt;br /&gt;
** Juno roadmap discussions: https://etherpad.openstack.org/p/barbican-juno-final-roadmap&lt;br /&gt;
* Sep 1, 2014&lt;br /&gt;
** Kilo Design Sessions&lt;br /&gt;
* Aug 25, 2014&lt;br /&gt;
** CR Sizes (jvrbanac)&lt;br /&gt;
** String interpolation in debug logging (redrobot, rellerreller)&lt;br /&gt;
** Python 3 support (rellerreller)&lt;br /&gt;
* Aug 18, 2014&lt;br /&gt;
** Juno Home Stretch (woodster)&lt;br /&gt;
* Aug 11, 2014&lt;br /&gt;
** [[Barbican/Integration|Barbican Integration]] &lt;br /&gt;
** Barbican as a Keystone service&lt;br /&gt;
* Aug 4, 2014&lt;br /&gt;
** #openstack-barbican on eavesdrop&lt;br /&gt;
* July 28, 2014&lt;br /&gt;
** Add more type in order post (https://review.openstack.org/#/c/87405/) waiting for review.&lt;br /&gt;
** Kilo conference presentation submissions&lt;br /&gt;
&lt;br /&gt;
* July 21, 2014&lt;br /&gt;
** (redrobot) Expiring Launchpad BPs after 5 days&lt;br /&gt;
&lt;br /&gt;
* July 14, 2014&lt;br /&gt;
** barbican-core nominations vote count&lt;br /&gt;
** can we plan better to make such change  https://review.openstack.org/#/c/103431?&lt;br /&gt;
** python-barbicanclient release schedule&lt;br /&gt;
&lt;br /&gt;
* June 30, 2014&lt;br /&gt;
** Mid-cycle meetup next week&lt;br /&gt;
** Keystone events blueprint&lt;br /&gt;
** (atiwari) https://review.openstack.org/#/c/98174/ (Do we need to worry about backward compatibility?)&lt;br /&gt;
&lt;br /&gt;
* June 23, 2014&lt;br /&gt;
** Mid-cycle meetup in two weeks.&lt;br /&gt;
&lt;br /&gt;
* June 16, 2014&lt;br /&gt;
** Mid-cycle meetup&lt;br /&gt;
&lt;br /&gt;
* June 9, 2014&lt;br /&gt;
** barbican-specs repo &lt;br /&gt;
** juno-1 release coming up&lt;br /&gt;
** mid-cycle meetup&lt;br /&gt;
** https://review.openstack.org/#/c/98473 (is it merge ready? kind of blocker)&lt;br /&gt;
** https://review.openstack.org/#/c/97844/ (is it merge ready?)&lt;br /&gt;
** https://review.openstack.org/#/c/98174 (is it merge ready?)&lt;br /&gt;
** Testing code pattern&lt;br /&gt;
** Any progress on eventing system (atiwari).&lt;br /&gt;
** Can tenant_id removal from uri deserve v2 api version(atiwari).&lt;br /&gt;
&lt;br /&gt;
* June 2, 2014&lt;br /&gt;
** Hacking enabled on pep8 gate&lt;br /&gt;
** New barbican-specs repository&lt;br /&gt;
** Order model changes for https://blueprints.launchpad.net/barbican/+spec/api-orders-add-more-types&lt;br /&gt;
*** New field &amp;quot;meta of type JsonBlob&amp;quot; and &amp;quot;container_id of type String&amp;quot;&lt;br /&gt;
** Meera is adding Barbican tempest tests https://blueprints.launchpad.net/tempest/+spec/add-basic-tests-for-barbican&lt;br /&gt;
*** Comments, Suggestions or disagreement?&lt;br /&gt;
&lt;br /&gt;
* May 5, 2014&lt;br /&gt;
** https://review.openstack.org/#/c/82189/ (is it merge ready?)&lt;br /&gt;
** https://review.openstack.org/#/c/88463/ (review required- API change proposal Key generation)&lt;br /&gt;
** https://review.openstack.org/#/c/81310/ (review required-  Adding target support for policy enforcement.)&lt;br /&gt;
** https://review.openstack.org/#/c/90613/ (review required- API change proposal certificate generation order)&lt;br /&gt;
**The Advanced Services Common Requirements team wanted to discuss the current status of the Barbican and its readiness to utilize the Barbican for Certificate/key generation and for storing the tenant's certificates sercurely in the system. &lt;br /&gt;
**Can we get an update or talk about this in today's meeting.&lt;br /&gt;
*** https://blueprints.launchpad.net/barbican/+spec/add-wrapping-key-to-barbican-server&lt;br /&gt;
&lt;br /&gt;
* April 28, 2014&lt;br /&gt;
** Action items:&lt;br /&gt;
*** all: Review/contribute to Malini's etherpad: https://etherpad.openstack.org/p/juno-key-manager-chapter&lt;br /&gt;
*** all: Review atiwari's CR to modify the crypto plugin interface: https://review.openstack.org/#/c/82189/&lt;br /&gt;
*** core: Consider beefing up barbican docs related to current crypto plugin operation, as prep for the OpenStack summit&lt;br /&gt;
&lt;br /&gt;
* April 7, 2014&lt;br /&gt;
** malini - update on Secuirty Guide documentation&lt;br /&gt;
** alee_/atiwari - Crypto plugin changes&lt;br /&gt;
** arunkant - Target support in barbican policy enforcement [https://blueprints.launchpad.net/barbican/+spec/policy-target-support]&lt;br /&gt;
** jraim - Support for debug mode start in barbican [https://review.openstack.org/#/c/82265/], can be merged?&lt;br /&gt;
&lt;br /&gt;
== Meeting organizers ==&lt;br /&gt;
&lt;br /&gt;
* Publish the agenda 24h in advance&lt;br /&gt;
* Mail the agenda to the list and invite participants&lt;br /&gt;
* Ask each person responsible for an action from the previous meeting to prepare a line of the form, for each action item:   . #info nickname description of the action link to the diff / mailing list thread etc. describing the implementation of the action&lt;br /&gt;
* Use http://meetbot.debian.net/Manual.html to get an automatic summary&lt;br /&gt;
* Prepare an outline for the meeting to speed things up (see http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-10-16.00.log.html for an actual example)&lt;br /&gt;
* Record decisions and commitments; review in the next meeting&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Meetings/Barbican&amp;diff=62454</id>
		<title>Meetings/Barbican</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Meetings/Barbican&amp;diff=62454"/>
				<updated>2014-09-11T15:15:30Z</updated>
		
		<summary type="html">&lt;p&gt;Atiwari: /* Agenda */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
= Weekly Barbican Meeting =&lt;br /&gt;
&lt;br /&gt;
The [https://github.com/cloudkeep/barbican Barbican] project team holds a weekly team meeting in &amp;lt;code&amp;gt;&amp;lt;nowiki&amp;gt;#openstack-meeting-alt&amp;lt;/nowiki&amp;gt;&amp;lt;/code&amp;gt;:&lt;br /&gt;
&lt;br /&gt;
* Weekly on Mondays at [http://www.timeanddate.com/worldclock/fixedtime.html?iso=20130502T2000 2000 UTC]&lt;br /&gt;
* The blueprints that are used as a basis for the [https://launchpad.net/barbican Barbican project] can be found at https://blueprints.launchpad.net/barbican&lt;br /&gt;
* Notes for previous meetings can be found [http://eavesdrop.openstack.org/meetings/barbican here].&lt;br /&gt;
* Chair (to contact for more information): jraim (#openstack-barbican @ Freenode)&lt;br /&gt;
&lt;br /&gt;
== Agenda ==&lt;br /&gt;
* Sep 15, 2014&lt;br /&gt;
** jenkins.cloudkeep.io&lt;br /&gt;
** Metadata Storage: https://etherpad.openstack.org/p/barbican_metadata&lt;br /&gt;
** API Stability &lt;br /&gt;
** Documentation sync up with new API&lt;br /&gt;
&lt;br /&gt;
* Sep 8, 2014&lt;br /&gt;
** Kilo Design Sessions&lt;br /&gt;
** Juno roadmap discussions: https://etherpad.openstack.org/p/barbican-juno-final-roadmap&lt;br /&gt;
* Sep 1, 2014&lt;br /&gt;
** Kilo Design Sessions&lt;br /&gt;
* Aug 25, 2014&lt;br /&gt;
** CR Sizes (jvrbanac)&lt;br /&gt;
** String interpolation in debug logging (redrobot, rellerreller)&lt;br /&gt;
** Python 3 support (rellerreller)&lt;br /&gt;
* Aug 18, 2014&lt;br /&gt;
** Juno Home Stretch (woodster)&lt;br /&gt;
* Aug 11, 2014&lt;br /&gt;
** [[Barbican/Integration|Barbican Integration]] &lt;br /&gt;
** Barbican as a Keystone service&lt;br /&gt;
* Aug 4, 2014&lt;br /&gt;
** #openstack-barbican on eavesdrop&lt;br /&gt;
* July 28, 2014&lt;br /&gt;
** Add more type in order post (https://review.openstack.org/#/c/87405/) waiting for review.&lt;br /&gt;
** Kilo conference presentation submissions&lt;br /&gt;
&lt;br /&gt;
* July 21, 2014&lt;br /&gt;
** (redrobot) Expiring Launchpad BPs after 5 days&lt;br /&gt;
&lt;br /&gt;
* July 14, 2014&lt;br /&gt;
** barbican-core nominations vote count&lt;br /&gt;
** can we plan better to make such change  https://review.openstack.org/#/c/103431?&lt;br /&gt;
** python-barbicanclient release schedule&lt;br /&gt;
&lt;br /&gt;
* June 30, 2014&lt;br /&gt;
** Mid-cycle meetup next week&lt;br /&gt;
** Keystone events blueprint&lt;br /&gt;
** (atiwari) https://review.openstack.org/#/c/98174/ (Do we need to worry about backward compatibility?)&lt;br /&gt;
&lt;br /&gt;
* June 23, 2014&lt;br /&gt;
** Mid-cycle meetup in two weeks.&lt;br /&gt;
&lt;br /&gt;
* June 16, 2014&lt;br /&gt;
** Mid-cycle meetup&lt;br /&gt;
&lt;br /&gt;
* June 9, 2014&lt;br /&gt;
** barbican-specs repo &lt;br /&gt;
** juno-1 release coming up&lt;br /&gt;
** mid-cycle meetup&lt;br /&gt;
** https://review.openstack.org/#/c/98473 (is it merge ready? kind of blocker)&lt;br /&gt;
** https://review.openstack.org/#/c/97844/ (is it merge ready?)&lt;br /&gt;
** https://review.openstack.org/#/c/98174 (is it merge ready?)&lt;br /&gt;
** Testing code pattern&lt;br /&gt;
** Any progress on eventing system (atiwari).&lt;br /&gt;
** Can tenant_id removal from uri deserve v2 api version(atiwari).&lt;br /&gt;
&lt;br /&gt;
* June 2, 2014&lt;br /&gt;
** Hacking enabled on pep8 gate&lt;br /&gt;
** New barbican-specs repository&lt;br /&gt;
** Order model changes for https://blueprints.launchpad.net/barbican/+spec/api-orders-add-more-types&lt;br /&gt;
*** New field &amp;quot;meta of type JsonBlob&amp;quot; and &amp;quot;container_id of type String&amp;quot;&lt;br /&gt;
** Meera is adding Barbican tempest tests https://blueprints.launchpad.net/tempest/+spec/add-basic-tests-for-barbican&lt;br /&gt;
*** Comments, Suggestions or disagreement?&lt;br /&gt;
&lt;br /&gt;
* May 5, 2014&lt;br /&gt;
** https://review.openstack.org/#/c/82189/ (is it merge ready?)&lt;br /&gt;
** https://review.openstack.org/#/c/88463/ (review required- API change proposal Key generation)&lt;br /&gt;
** https://review.openstack.org/#/c/81310/ (review required-  Adding target support for policy enforcement.)&lt;br /&gt;
** https://review.openstack.org/#/c/90613/ (review required- API change proposal certificate generation order)&lt;br /&gt;
**The Advanced Services Common Requirements team wanted to discuss the current status of the Barbican and its readiness to utilize the Barbican for Certificate/key generation and for storing the tenant's certificates sercurely in the system. &lt;br /&gt;
**Can we get an update or talk about this in today's meeting.&lt;br /&gt;
*** https://blueprints.launchpad.net/barbican/+spec/add-wrapping-key-to-barbican-server&lt;br /&gt;
&lt;br /&gt;
* April 28, 2014&lt;br /&gt;
** Action items:&lt;br /&gt;
*** all: Review/contribute to Malini's etherpad: https://etherpad.openstack.org/p/juno-key-manager-chapter&lt;br /&gt;
*** all: Review atiwari's CR to modify the crypto plugin interface: https://review.openstack.org/#/c/82189/&lt;br /&gt;
*** core: Consider beefing up barbican docs related to current crypto plugin operation, as prep for the OpenStack summit&lt;br /&gt;
&lt;br /&gt;
* April 7, 2014&lt;br /&gt;
** malini - update on Secuirty Guide documentation&lt;br /&gt;
** alee_/atiwari - Crypto plugin changes&lt;br /&gt;
** arunkant - Target support in barbican policy enforcement [https://blueprints.launchpad.net/barbican/+spec/policy-target-support]&lt;br /&gt;
** jraim - Support for debug mode start in barbican [https://review.openstack.org/#/c/82265/], can be merged?&lt;br /&gt;
&lt;br /&gt;
== Meeting organizers ==&lt;br /&gt;
&lt;br /&gt;
* Publish the agenda 24h in advance&lt;br /&gt;
* Mail the agenda to the list and invite participants&lt;br /&gt;
* Ask each person responsible for an action from the previous meeting to prepare a line of the form, for each action item:   . #info nickname description of the action link to the diff / mailing list thread etc. describing the implementation of the action&lt;br /&gt;
* Use http://meetbot.debian.net/Manual.html to get an automatic summary&lt;br /&gt;
* Prepare an outline for the meeting to speed things up (see http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-10-16.00.log.html for an actual example)&lt;br /&gt;
* Record decisions and commitments; review in the next meeting&lt;/div&gt;</summary>
		<author><name>Atiwari</name></author>	</entry>

	</feed>