Open Stack

On 11/06/2012 06:35 AM, Clark, Robert Graham wrote:
> I believe there are two options here, role based signing and entity based
> signing note that I'm not calling out any specific crypto here, there's a
> bunch of stuff that could be used. In roll based signing each role
> nova-host, nova-network, nova-etc would share a signing-key and any system
> receiving a signed message from a role can verify that the message
> originated from a machine of that roll. The alternative is entity based
> signing where each host is given it's own signing-key and when a system
> receives a message it can verify exactly which machine the message came
> from. I'd be interested to know which method people felt was most
> appropriate. The latter often appears to be more secure but it's possible to
> argue that this is outweighed by the extra overhead. Each machine in your
> system now needs to know about the signing key of every other machine -
> which makes key-rolling/revocation painful and it doesn't isolate any
> potential attacks; most people who deploy at any scale use configuration
> management to keep systems at the same patch level which means that within
> the datacentre you have a flat exploitation space - if I compromised one
> nova-host I can compromise the rest with the same exploit - so protecting
> the signed-keys from individual compromise (by having entity based keys)
> sometimes buys you very little.

I think we need machine-based signing.  Really, I want machine+role signing.

Some things I'd like to be able to do ...

1) I want to ensure that only the nova-scheduler service is allowed to
tell nova-compute services to start a new VM.  Services of another type
should not be allowed to do this.  Role-based signing would cover this case.

2) We are in the middle of some work to remove database access from
nova-compute.  This will likely result in having another service that
nova-compute works with to get instance state updated as needed.  I'd
like to be able to ensure that only the nova-compute service hosting a
given instance can affect that instance's information in the database.
I do not want another nova-compute service (on a potentially compromised
host) able to change important details about the instance.  Role-based
signing is not enough to enforce that.

-- 
Russell Bryant