OpenStack Identity (Keystone)

Middleware client authentication with certficate

Registered by Liem Nguyen on 2011-10-11

Motivation

Currently, an Openstack service (middleware) that needs to communicate with Keystone relies on an admin_token to authenticate itself with Keystone. This admin_token is stored in a plain-text configuration file on service node. This poses security risk if this file is compromised, and also increases the management overhead of this token, if it needs to be changed across multiple nodes.

An alternative solution is to authenticate the Openstack service with Keystone via Secure Sockets Layer (SSL) client authentication.
Benefits

Some main benefits for this approach are:

    Client certificates can be obtained and stored in a secure manner.
    Different services can be given different service certificates, creating different classes of service with different privileges in Keystone (for example, for QoS purposes)
    Certificates can be revoked easily on Keystone.

Changes

    Client certificate needs to be created and signed by a CA trusted by the Keystone server.
    Keystone middleware needs to supply the client certificate when making an HTTPS connection.
    A keystore and truststore need to be created on the Keystone server.
    Keystone server needs to authenticate client certificate accordingly.

Review: https://review.openstack.org/#change,1038

Blueprint information

Status:
Complete
Approver:
Ziad Sawalha
Priority:
Medium
Drafter:
Liem Nguyen
Direction:
Approved
Assignee:
HP Cloud Engineering
Definition:
Approved
Series goal:
Accepted for essex
Implementation:
Implemented
Milestone target:
milestone icon 2012.1
Started by
Jason Rouault on 2011-10-21
Completed by
Joe Savak on 2011-11-08

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/2-way-ssl,n,z

Addressed by: https://review.openstack.org/1038
    x.509 client authentication

Addressed by: https://review.openstack.org/7706
    Implemented bp/2-way-ssl using eventlet-based SSL.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.