Open Stack

On 29 October 2015 at 12:43, Major Hayden <major at mhtx.net> wrote:

> On 10/29/2015 04:33 AM, McPeak, Travis wrote:
> > The only potential security drawback is that we are introducing a new
> > asset to protect.  If we create the tools that enable a deployer to
> > easily create and administer a lightweight CA, that should add
> > significant value to OpenStack, especially for smaller organizations
> > that don't have experience running a CA.
>
> This is certainly true.  However, I'd like to solve for the use of
> self-signed SSL certificates in openstack-ansible first.
>
> At the moment, each self-signed certificate for various services is
> generated within each role.  The goal would be to make a CA at the
> beginning and then allow roles to utilize another role/task to issue
> certificates from that CA.  The CA would most likely be located on the
> deployment host.
>
> Deployers who are very security conscious can provide keys, certificates,
> and CA certificates in the deployment configuration and those will be used
> instead of generating self-signed certificates.
>

I would argue that self-signed certificates only provide an illusion of
security and the tasks we have to generate and distribute them should be
removed entirely. My thinking is that if a deployer wants to use
self-signed certs, then the deployer can create them and provide their
details as user-provided certs. That way we can do without a whole block of
code and the dependency on memcache for distribution. This makes the
decision to use the self-signed certs a more deliberate one and also takes
care of the complexity of certificate distribution.

That said, I applaud the idea of using a CA role. There are a few in
Ansible Galaxy, but I've found their implementations to be rather complex
whereas I think they can be pretty simple. I have actually done a fair
amount of work on the CA setup part of things in my not-yet-complete
ansible-openvas role [1]. You are welcome to use this work as a starting
base and develop a role which sets up a CA. The trouble I found when
looking into how to do this properly was that there should be several CA's
(one offline primary and more than one secondary which actually does the
signing). This will mean that the role will require quite a bit of guidance
for using it correctly and setting up a single CA or multi-CA environment.

Whether you develop a new role for the OpenStack-Ansible toolbox, or
develop documentation for consuming an existing role in Ansible Galaxy, the
concept is certainly welcome and would go a long way to simplifying a
secure-by-default implementation of OpenStack.

[1]
https://github.com/odyssey4me/ansible-openvas/blob/master/tasks/install_openssl_ca.yml

---
Jesse
IRC: odyssey4me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151102/23e8da24/attachment.html>