Difference between revisions of "X509-proposal"
| Line 5: | Line 5: | ||
STATUS: '''DRAFT''' | STATUS: '''DRAFT''' | ||
| + | |||
| + | QUESTIONS: | ||
| + | |||
| + | * what is the X509 chain? Is it per user? Is it per tenant? | ||
| + | * what is the api for validation? Is there an admin API to download the chain (for cloudpipe?) or do we expose a validation method? | ||
Overview: | Overview: | ||
Revision as of 22:50, 17 January 2012
X509 Certs
Nova has an x509 cert store that it uses for the ec2 bundling image process and the cloudpipe vpn system. Currently the code runs inside the API server - which leads to issues if you want to want to run the api server on multiple boxes.
STATUS: DRAFT
QUESTIONS:
- what is the X509 chain? Is it per user? Is it per tenant?
- what is the api for validation? Is there an admin API to download the chain (for cloudpipe?) or do we expose a validation method?
Overview:
- move x509 into a nova-manager, run from a host that manages the CA directory
- openstack (admin-only?) extension for management - there is some (deprecated) usage in the ec2/admin.py
- use rpc to communicate between API and x509 manager
- api is a wrapper around most of the nova/crypto.py interface
[ OS API ] <=> [ x509-manager ] <=> [ crypto logic ]
Manager
Create a nova-x509 bin that is a nova-manager. A manager in nova is a process that: has flags, has an RPC and DB connection. (example managers are nova-scheduler)
OS API Extension
The following are users of the extension:
- the dashboard - for getting certs for users (building a novarc / nova.zip)
- CRUD around certs for a user (scoped by a tenant)
- cloudpipe - ?
REST OBJECT:
{"cert": {"x509": "text",
"tenant_id": tenant_id,
"created": "12/12/12",
"enabled": True}}
Old EC2 Extension
def generate_x509_for_user(self, context, name, project=None, **kwargs):
"""Generates and returns an x509 certificate for a single user.
Is usually called from a client that will wrap this with
access and secret key info, and return a zip file.
"""
if project is None:
project = name
project = manager.AuthManager().get_project(project)
user = manager.AuthManager().get_user(name)
msg = _("Getting x509 for user: %(name)s"
" on project: %(project)s") % locals()
LOG.audit(msg, context=context)
return user_dict(user, base64.b64encode(project.get_credentials(user)))
