[openstack-dev] SSL and devstack

Gabriel Hurley Gabriel.Hurley at nebula.com
Mon Oct 29 03:57:06 UTC 2012 

Awesome. Sounds great!

    - Gabriel

> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: Sunday, October 28, 2012 6:11 PM
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] SSL and devstack
> 
> On 10/27/2012 04:28 PM, Gabriel Hurley wrote:
> > Are you advocating enabling SSl just for Keystone? Or for all services?
> 
> I was just talking Keystone.  I think that we probably need SSL between all
> services, and Horizon should certainly be protected via SSL in a public
> deployment, but not necessarily for development:  I think that
> *not* teaching people to click through the SSL options on Horizon is a good
> thing, too.
> 
> > I don't think you are (and hope you're not) advocating enabling it by default
> for Horizon since browsers will throw up the red "untrusted certificate" page
> and I don't want to train people to click through that.
> >
> > Moreover, though most of the clients support certificate checking, only
> some of the clients (keystoneclient included) support checking against a
> user-specified certificate.
> 
> Yes, we will do that as part of this effort.  An Openstack deployment should
> have all certs under a single CA, something worth doing as part of Devstack.
> 
> > I'm in favor of the work being done to bring all the clients into line there;
> I'm just putting it forward that right now it's not all there to the best of my
> knowledge.
> >
> >      - Gabriel
> >
> >> -----Original Message-----
> >> From: Adam Young [mailto:ayoung at redhat.com]
> >> Sent: Friday, October 26, 2012 6:17 PM
> >> To: OpenStack Development Mailing List
> >> Subject: [openstack-dev] SSL and devstack
> >>
> >> Although SSL in Python is slow, we really should enable it in
> >> devstack from here on out.  My understanding is that people with live
> >> deployments front Keystone with some other SSL terminator.  We should
> >> thus plan on running the python-keystoneclient code through SSL by
> >> default to make sure all SSL issues are shaken out.
> >>
> >> If you run keystone-manage --pki_setup  it generates a CA certificate
> >> for you.  This is done by default in devstack, in order to get pki tokens to
> work.
> >> However, there are no SSL certifcates provided.  The config
> >> documentation
> >> states: "a set of sample certficates is provided in the examples/ssl
> >> directory with the Keystone distribution for testing."  However, it
> >> uses a different CA than the one in the test/signing, so there is no
> >> one set of certificates we can provide.
> >>
> >> I think I would like to add an additional option to the
> >> keystone-manage
> >> CLI: --ssl_setup. What I would like to do is gather what the
> >> requirements for this should be.  To start:
> >>
> >> 1. If no CA is in the path indicated by the config file, generate a
> >> self signed one.  The assumption is that this code will be common
> >> between pki and ssl setup.
> >> 2. Use the CA from the above path to sign the ssl certificate.
> >>
> >> I am assuming that most organizations large enough to have Open Stack
> >> have their own Public Key Infrastructure.  Thus, the self signed CA
> >> and SSL cert should not be the norm.  WHat I am wondering is if there
> >> is anything we should be doing.  For those cases.  There is no
> >> standard for remotely submitting a Certificate Signing Request (CSR)
> >> and getting back a signed certificate.  We can generate a csr based
> >> on the hostname of the machine, and that way we know that the
> >> certificate is formatted for SSL, but is it really better to write a
> >> tool to do this (it is goingto be done once very year or there
> >> about) or just point the users at decent documentation about how to
> >> do it themselves?
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list