<p dir="ltr">Jeff, <br>
'Guess i misunderstood your Q then, i took your Q on "isn't Manila already involved in the creation of every other CN " as you saying that manila should manage the trust setup! Hence my reply... Nevermind.</p>
<p dir="ltr">I very well understand and agree that the only way (given the absence of auth reject for ssl) for Manila driver is to manage the list of CNs and assume whatever is left after removing client CN is the server CNs and preserve it. For a moment i do was confused but it's clear now. Not rocket science for you but can't be sure of others ( incl. Me) :)</p>
<p dir="ltr">Thanks,<br>
Deepak<br></p>
<p dir="ltr">On Jan 30, 2015 7:27 PM, "Jeff Darcy" <<a href="mailto:jdarcy@redhat.com">jdarcy@redhat.com</a>> wrote:<br>
><br>
> > Cert, Keys and CN management is out of band of Manila. The manila community<br>
> > didn't wanted to get into the lifecycle management as its not in the scope of<br>
> > Manila<br>
> > project of openstack. Thus cert and trust setup is deployer's responsibility<br>
> > and needs to be done out of band of Manila.<br>
><br>
> So this code isn't part of Manila?<br>
><br>
><a href="https://github.com/openstack/manila/tree/master/manila/share/drivers"> https://github.com/openstack/manila/tree/master/manila/share/drivers</a><br>
><br>
> As far as I can tell, that code *is* managing tenants, volumes, certs,<br>
> and so on - including actions on them and interactions between them. It<br>
> has its own config variables, and even a database. As far as I can<br>
> tell, it only has to handle adding access to a single CN at a time<br>
> (adding a second will overwrite the ssl-allow value from adding the<br>
> first). Thus there are only two values for ssl-allow.<br>
><br>
> allow_access: internal CN + tenant CN (in access['access_to'])<br>
><br>
> deny_access: internal CN<br>
><br>
> Why can't the internal CN be a configuration value, like the volume list<br>
> or private-key location we already have? Is there some strange quirk of<br>
> how Manila (or OpenStack more generally) works that makes any of this<br>
> seem like rocket science</p>