Middleware client authentication with certficate
Motivation
Currently, an Openstack service (middleware) that needs to communicate with Keystone relies on an admin_token to authenticate itself with Keystone. This admin_token is stored in a plain-text configuration file on service node. This poses security risk if this file is compromised, and also increases the management overhead of this token, if it needs to be changed across multiple nodes.
An alternative solution is to authenticate the Openstack service with Keystone via Secure Sockets Layer (SSL) client authentication.
Benefits
Some main benefits for this approach are:
Client certificates can be obtained and stored in a secure manner.
Different services can be given different service certificates, creating different classes of service with different privileges in Keystone (for example, for QoS purposes)
Certificates can be revoked easily on Keystone.
Changes
Client certificate needs to be created and signed by a CA trusted by the Keystone server.
Keystone middleware needs to supply the client certificate when making an HTTPS connection.
A keystore and truststore need to be created on the Keystone server.
Keystone server needs to authenticate client certificate accordingly.
Blueprint information
- Status:
- Complete
- Approver:
- Ziad Sawalha
- Priority:
- Medium
- Drafter:
- Liem Nguyen
- Direction:
- Approved
- Assignee:
- HP Cloud Engineering
- Definition:
- Approved
- Series goal:
- Accepted for essex
- Implementation:
-
Implemented
- Milestone target:
-
2012.1
- Started by
- Jason Rouault
- Completed by
- Joe Savak
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
x.509 client authentication
Addressed by: https:/
Implemented bp/2-way-ssl using eventlet-based SSL.
