← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #50608

[Bug 1514768] Re: LBaaS v2 - Barbican TLS containers consuming misuse

  Thread PreviousDate PreviousThread Next 
[Expired for neutron because there has been no activity for 60 days.]

** Changed in: neutron
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1514768

Title:
  LBaaS v2 - Barbican TLS containers consuming misuse

Status in neutron:
  Expired

Bug description:
  LBaaS v2 plugin is using barbican TLS containers and locally stored certificates for TLS termination on listeners.
  There are several issues with current implementation of this functionality.

  When Barbican Certificate Manager is used:
  With the current implementation, consumer will not be removed from barbican when certificate is not used by LB any more, which is a problem.

  When Local Certificate Manager is used:
      In current implementation, certificates that did not pass validation are removed. Actually removed from file system.
      IMO, it's not a good practice to remove tenant's certificate files from a file system, even if certificate is invalid.

  Proposal for fixing those:

      1. Rename Certificate Manager API functions.  There should be:
          get_cert - getting the certificate info without registering
          resource consumer. Plugin will use this certificate validation.

          register_cert_consumer - Registering consumer in barbican. Plugin
          will use it in case when certificate is valid.

          unregister_cert_consumer - Removing  consumer in barbican. Plugin
          will use this to remove resource consumer
              for certificate(s) that are not used by listener any more.
      2. Local Certificate Manager should not delete certificate files from file system in case when certificate is invalid.
          get_cert - getting certificate data from certificate files. Plugin
          and will use this
          register_cert_consumer and unregister_cert_consumer functions will
          do nothing since no resource consumer registration/removal is needed.
      3. Plugin should deregister consumers for certificates that are not
         in use by loadbalancer/listener anymore

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1514768/+subscriptions

References

  Thread PreviousDate PreviousThread Next