Latest revision as of 23:30, 17 February 2013

Created: Tue, 20 Dec 2011 13:45:07 -0800
Contributors: Gunther Hagleitner

SSL endpoints

Summary

In order to prevent malicious code or attackers to interfere with the operation of the OpenStack we propose to provide optional encryption and certificate verification via SSL on all endpoints (APIs, message queue & clients, DB).

See: https://bugs.launchpad.net/nova/+bug/790900

Note that this only sends in boolean true or false, while amqlib and carrot can send in a dictionary in python 2.6+

See: http://docs.python.org/library/ssl.html (ssl.wrap_socket)

See: http://code.google.com/p/py-amqplib/source/browse/amqplib/client_0_8/transport.py#189

Design

The following enpoints need to have options to enable SSL encryption and verification:

EC2/OS API
Glance API
Message Queue (server)
Nova compute (db)
Nova compute (message queue, client)
Nova scheduler (message queue, client, db)
Nova network (message queue, client, db)
... (any webservice + db)

The following blueprints have already started building ssl support:

SSL for EC2 nova: https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl
SSL for rabbit mq clients: https://bugs.launchpad.net/nova/+bug/790900
SSL for glance: https://blueprints.launchpad.net/glance/+spec/support-ssl

Message queue communication

Message server can be configured to accept only verified SSL connections (no changes needed): http://www.rabbitmq.com/ssl.html
Message clients already support SSL, but need to add certificate and private key to configuration parameters and connection calls.
- http://code.google.com/p/py-amqplib/source/browse/amqplib/client_0_8/transport.py#189
- http://packages.python.org/kombu/reference/kombu.connection.html

Database

mysql server can be configured to accept only SSL connections for OpenStack user (schema change, needs cert, ca, key at startup)
- see https://github.com/cloudbuilders/devstack/blob/master/stack.sh#L662 and add "REQUIRE SSL" when creating the user
mysql client needs to add certificate, key to connection calls - certificate/key needs to be added to configuration parameters

This should work as the following:

mysql://$user:$pw@$host/$db?ssl_ca=$ca&ssl_key=$key&ssl_cert=$cert&ssl_capath=$capath&ssl_cipher=$cipher

Maybe also done in: http://wiki.openstack.org/nova-security-updates??

Glance

http://glance.openstack.org/configuring.html#configurating-ssl-support

EC2/OS API

https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl

Expected Code Changes

Diablo branch (may change in essex):

nova/flags.py
nova/rpc.py

Expected Documentation Changes

Dependencies

python2.6+
OpenSSH
Erlang >= R13B
Erlang SSL

Test/Demo Plan

Migration Plan

Default (enable flag missing/off) will remain to be no SSL. No migration necessary.

Unresolved Issues

Notes

Contacts

hagleitn@yahoo-inc.com

@@ Line 1: / Line 1: @@
-__NOTOC__
 * '''Created''': Tue, 20 Dec 2011 13:45:07 -0800
 * '''Contributors''': Gunther Hagleitner
@@ Line 5: / Line 5: @@
 = SSL endpoints =
-<<[[TableOfContents]]()>>
+__TOC__
 == Summary ==
@@ Line 49: / Line 49: @@
 * mysql server can be configured to accept only SSL connections for [[OpenStack]] user (schema change, needs cert, ca, key at startup)
+** see https://github.com/cloudbuilders/devstack/blob/master/stack.sh#L662 and add "REQUIRE SSL" when creating the user
 * mysql client needs to add certificate, key to connection calls - certificate/key needs to be added to configuration parameters
-Maybe done in: http://wiki.openstack.org/nova-security-updates
+This should work as the following:
+<pre><nowiki>
+mysql://$user:$pw@$host/$db?ssl_ca=$ca&ssl_key=$key&ssl_cert=$cert&ssl_capath=$capath&ssl_cipher=$cipher
+</nowiki></pre>
+Maybe also done in: http://wiki.openstack.org/nova-security-updates??
 === Glance ===

Difference between revisions of "SSLEndpoints"