OpenStack Compute (nova)

SSL on all endpoints

Registered by Joshua Harlow

In order to prevent malicious code or attackers to interfere with the operation of the OpenStack we propose to provide optional encryption and certificate verification via SSL on all endpoints (APIs, message queue & clients, DB).

See: https://bugs.launchpad.net/nova/+bug/790900

    Note that this only sends in boolean true or false, while amqlib and carrot can send in a dictionary in python 2.6+

See: http://docs.python.org/library/ssl.html (ssl.wrap_socket)

See: http://code.google.com/p/py-amqplib/source/browse/amqplib/client_0_8/transport.py#189

Similar: http://wiki.openstack.org/nova-security-updates, https://blueprints.launchpad.net/nova/+spec/openstack-api-ssl

Blueprint information

Status:
Complete
Approver:
Vish Ishaya
Priority:
Undefined
Drafter:
Nova Security Improvements Team
Direction:
Approved
Assignee:
Nova Security Improvements Team
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Vish Ishaya

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/ssl-endpoints,n,z

Addressed by: https://review.openstack.org/2572
    Re-adds ssl to kombu configuration and adds flags that are needed to pass through to kombu.

Gerrit topic: https://review.openstack.org/#q,topic:bp/SSLEndpoints,n,z

Addressed by: https://review.openstack.org/4031
    Re-adds ssl to kombu configuration and adds flags that are needed to pass through to kombu.

Addressed by: https://review.openstack.org/4033
    Re-adds ssl to kombu configuration and adds flags that are needed to pass through to kombu.

Addressed by: https://review.openstack.org/4278
    Re-adds ssl to kombu configuration and adds flags that are needed to pass through to kombu.

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.