[openstack-dev] Unified Guest Agent proposal

Nicolas Barcet nicolas at barcet.com
Sat Dec 7 09:33:01 UTC 2013

On Sat, Dec 7, 2013 at 9:08 AM, Clint Byrum <clint at fewbar.com> wrote:

> So what is needed is domain specific command execution and segregation
> of capabilities.

To further this, I know that a lot of security minded people consider this
types of agent sorts of backdoors. Having one generic "backdoor" that can
do everything is something that could be less acceptable as you would not
have the choice to pinpoint what you'd like to allow it to do, or then the
constraints in terms of fine grained access control becomes huge.   I did
not realize this until I too spoke with Scott about this.  Cloud-init, or
any such generic tool, should only enable deployment domain specific tool,
based on the specific needs of given use case, not become an agent
(backdoor) itself.

This said, I imagine we could get some benefits out of a generic
framework/library that could be used create such agents in a manner where
base authentication and access control is done properly.  This would allow
to simplify security analysis and impacts of agents developped using that
framework, but the framework itself should never become a generic binary
that is deploy everywhere by default and allow way too much in itself.
 Binary instances of agents written using the framework would be what could
be eventually deployed via cloud-init on a case by case basis.



Nicolas Barcet <nicolas at barcet.com>
a.k.a. nijaba, nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131207/cc1e77f1/attachment.html>

More information about the OpenStack-dev mailing list