[openstack-dev] [nova][keystone] Message Queue Security
eric at cloudscaling.com
Thu Apr 25 19:16:18 UTC 2013
One use-case I see this proposal failing to address is with cross-cell and cross-project messaging.
The cross-cell messaging is a legitimate concern and probably where some of this security is most desperately needed. Your present design seems to require a single, global service to drive communication and authority for all cells.
Secondly, cross-project messaging is a concern for the Ceilometer team. This is presently contentious amongst the RPC users and maintainers, and a matter of active discussion. However, should that we seek to support this, it should be considered. Presently, all projects communicate via AMQP through a single control_exchange. ZeroMQ messaging happen over a unique TCP port per project. The messaging is clearly delineated, split between the projects.
In our proposed PKI model, this isn't a huge deal, because we can have a keyserver per project, per cell, or per project per cell. There will be devils in the details of implementing it, surely, but it isn't against the architectural design. If communicating to another project or cell, we can make the code reach into the right keyserver. However, your proposal requires a tight coupling of peers / services that introduces complexity around scale that is not presently addressed.
On Thursday, April 25, 2013 at 08:37 AM, Simo Sorce wrote:
> Hello list,
> at the Summit we had a very interesting and productive discussion about
> Message Signing/Encryption for RPC Messages sent via the Message Queue.
> I would like to present a proposal that uses symmetric keys and a
> central key server to address the problem:
> I would really like to get feedback on the proposal, especially if there
> are corner cases I have not considered.
> Simo Sorce * Red Hat, Inc * New York
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org (mailto:OpenStack-dev at lists.openstack.org)
More information about the OpenStack-dev