Difference between revisions of "SSLEndpoints"
m (Text replace - "__NOTOC__" to "") |
|||
| (13 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ||
* '''Created''': Tue, 20 Dec 2011 13:45:07 -0800 | * '''Created''': Tue, 20 Dec 2011 13:45:07 -0800 | ||
* '''Contributors''': Gunther Hagleitner | * '''Contributors''': Gunther Hagleitner | ||
| Line 5: | Line 5: | ||
= SSL endpoints = | = SSL endpoints = | ||
| − | + | __TOC__ | |
== Summary == | == Summary == | ||
| Line 18: | Line 18: | ||
See: http://code.google.com/p/py-amqplib/source/browse/amqplib/client_0_8/transport.py#189 | See: http://code.google.com/p/py-amqplib/source/browse/amqplib/client_0_8/transport.py#189 | ||
| − | Similar: http://wiki.openstack.org/nova-security-updates | + | Similar: http://wiki.openstack.org/nova-security-updates, https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl |
== Design == | == Design == | ||
| Line 29: | Line 29: | ||
* Nova compute (db) | * Nova compute (db) | ||
* Nova compute (message queue, client) | * Nova compute (message queue, client) | ||
| − | * Nova scheduler (message queue, client) | + | * Nova scheduler (message queue, client, db) |
| − | * Nova network (message queue, client) | + | * Nova network (message queue, client, db) |
| + | * ... (any webservice + db) | ||
The following blueprints have already started building ssl support: | The following blueprints have already started building ssl support: | ||
| Line 48: | Line 49: | ||
* mysql server can be configured to accept only SSL connections for [[OpenStack]] user (schema change, needs cert, ca, key at startup) | * mysql server can be configured to accept only SSL connections for [[OpenStack]] user (schema change, needs cert, ca, key at startup) | ||
| + | ** see https://github.com/cloudbuilders/devstack/blob/master/stack.sh#L662 and add "REQUIRE SSL" when creating the user | ||
* mysql client needs to add certificate, key to connection calls - certificate/key needs to be added to configuration parameters | * mysql client needs to add certificate, key to connection calls - certificate/key needs to be added to configuration parameters | ||
| + | |||
| + | This should work as the following: | ||
| + | |||
| + | |||
| + | <pre><nowiki> | ||
| + | mysql://$user:$pw@$host/$db?ssl_ca=$ca&ssl_key=$key&ssl_cert=$cert&ssl_capath=$capath&ssl_cipher=$cipher | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Maybe also done in: http://wiki.openstack.org/nova-security-updates?? | ||
=== Glance === | === Glance === | ||
| − | * | + | * http://glance.openstack.org/configuring.html#configurating-ssl-support |
=== EC2/OS API === | === EC2/OS API === | ||
| − | * | + | * https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl |
== Expected Code Changes == | == Expected Code Changes == | ||
| Line 75: | Line 87: | ||
<pre><nowiki> | <pre><nowiki> | ||
| + | python2.6+ | ||
OpenSSH | OpenSSH | ||
Erlang >= R13B | Erlang >= R13B | ||
Latest revision as of 23:30, 17 February 2013
- Created: Tue, 20 Dec 2011 13:45:07 -0800
- Contributors: Gunther Hagleitner
SSL endpoints
Contents
Summary
In order to prevent malicious code or attackers to interfere with the operation of the OpenStack we propose to provide optional encryption and certificate verification via SSL on all endpoints (APIs, message queue & clients, DB).
See: https://bugs.launchpad.net/nova/+bug/790900
- Note that this only sends in boolean true or false, while amqlib and carrot can send in a dictionary in python 2.6+
See: http://docs.python.org/library/ssl.html (ssl.wrap_socket)
See: http://code.google.com/p/py-amqplib/source/browse/amqplib/client_0_8/transport.py#189
Similar: http://wiki.openstack.org/nova-security-updates, https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl
Design
The following enpoints need to have options to enable SSL encryption and verification:
- EC2/OS API
- Glance API
- Message Queue (server)
- Nova compute (db)
- Nova compute (message queue, client)
- Nova scheduler (message queue, client, db)
- Nova network (message queue, client, db)
- ... (any webservice + db)
The following blueprints have already started building ssl support:
- SSL for EC2 nova: https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl
- SSL for rabbit mq clients: https://bugs.launchpad.net/nova/+bug/790900
- SSL for glance: https://blueprints.launchpad.net/glance/+spec/support-ssl
Message queue communication
- Message server can be configured to accept only verified SSL connections (no changes needed): http://www.rabbitmq.com/ssl.html
- Message clients already support SSL, but need to add certificate and private key to configuration parameters and connection calls.
Database
- mysql server can be configured to accept only SSL connections for OpenStack user (schema change, needs cert, ca, key at startup)
- see https://github.com/cloudbuilders/devstack/blob/master/stack.sh#L662 and add "REQUIRE SSL" when creating the user
- mysql client needs to add certificate, key to connection calls - certificate/key needs to be added to configuration parameters
This should work as the following:
mysql://$user:$pw@$host/$db?ssl_ca=$ca&ssl_key=$key&ssl_cert=$cert&ssl_capath=$capath&ssl_cipher=$cipher
Maybe also done in: http://wiki.openstack.org/nova-security-updates??
Glance
EC2/OS API
Expected Code Changes
Diablo branch (may change in essex):
nova/flags.py nova/rpc.py
Expected Documentation Changes
Dependencies
python2.6+ OpenSSH Erlang >= R13B Erlang SSL
Test/Demo Plan
Migration Plan
Default (enable flag missing/off) will remain to be no SSL. No migration necessary.
Unresolved Issues
Notes
Contacts
hagleitn@yahoo-inc.com
