Solum/SecurityRequirements

Note: This is currently a living document under frequent updates. Please contact paul.montgomery@rackspace.com for any questions or comments.

Solum Security Requirements
Solum is a relatively large project with a diverse set of contributors. This page will attempt to capture the security features which will be implemented in Solum's core code base in order to coordinate efforts with the community. This will also include a list of features that the Solum operator/administrator should implement.

Why doesn't Solum implement all security features? There are many Solum implementation options and local environment requirements that would make this extremely difficult to impossible. Each operator will likely have their own level of security requirements.

Reference Material

 * OpenStack Security Guide: http://docs.openstack.org/security-guide/content/openstack_user_guide.html

Goals

 * Consolidate Solum security requirements
 * Enable easy community discussion/voting on security topics
 * Simplify Gerrit reviews by copying the appropriate "Requirement Link" and pasting it into the review comments
 * Link discussion logs to the appropriate security feature so that others may understand the background discussions and reasons (please help keep this up to date)
 * Feed security architecture back to the OpenStack Security Group to help make OpenStack wide security best practices documentation

Disclaimers

 * This is a reference document and is not a substitute for reading the original documents
 * Some requirement language quoted from external references has been modified for Solum purposes. Usually this causes "should"s to change into "must"s for more clarity.

Assumptions:
 * Will consider Solum to be equivalent to an OSSG-defined "public cloud" with regard to threat model

Solum-specific Security Requirements
These requirements were derived from discussions in the Solum community. If the "OSSG Applicable" field contains "Yes", the requirement may be generally applicable to projects across OpenStack. Note: Unless the Status is "Approved", this feature has not been accepted by the Solum community yet.

'''Update: The OpenStack Security Group has accepted many of the Solum security requirements and will review each requirement in detail soon. This link, https://wiki.openstack.org/wiki/Security/Guidelines, will become the official repository for many of these requirements. '''TODO(wpm): Remove duplicate security requirements from this Solum page.

OSSG-based Solum Security Features
These are security requirements for the core Solum implementation to address. Note: Unless the Status is "Approved", this feature has not been accepted by the Solum community yet.

OSSG-based Operator Security Features
These are recommended security features that an operator should implement but it is ultimately the operator's choice. These requirements are outside the scope of Solum's core code. Note: This is not an exhaustive list of all OpenStack Security Guide requirements. This is an attempt to quickly summarize some key recommendations and is not a replacement for the OSSG itself.

TODO: Continue in the OSSG from Chapter 11.