OpenStack Compute (Nova)

Trusted Messaging / RPC

Registered by Eric Windisch on 2012-03-20

Openstack messaging assumes a trusted network and trusted peers. However, with end-users accessing compute resources, privilege escalation is a viable concern requiring encryption or identity validation to solve. This blueprint seeks to implement a trusted messaging pattern utilizing encryption and/or signing of messages to verify the identities of senders and the validity of their messages.

This code should be abstracted to work over all RPC mechanisms, if possible. Additionally, it is likely that this will require a challenge-response mechanism and perfect-forward-secrecy or timestamping to be secure against replay attacks.

Blueprint information

Status:
Complete
Approver:
Vish Ishaya
Priority:
High
Drafter:
Eric Windisch
Direction:
Needs approval
Assignee:
Eric Windisch
Definition:
Superseded
Series goal:
None
Implementation:
Started
Milestone target:
None
Started by
Eric Windisch on 2012-08-02
Completed by
Russell Bryant on 2013-04-30

Related branches

Sprints

Whiteboard

The rpc code has moved to oslo-incubator since this blueprint was filed, so it's no longer appropriate to have this in nova. A similar blueprint should be opened for oslo. --russellb

https://blueprints.launchpad.net/oslo/+spec/trusted-messaging

(?)

Work Items

Work items:
Design: DONE
Finish advanced-matchmaking (for replay protection): INPROGRESS
Re-evaluate new rpc envelope irt trusted-messaging: INPROGRESS
Development: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.