[openstack-dev] [Fuel] API services available on public VIP

Matthew Mosesohn mmosesohn at mirantis.com
Mon Nov 16 15:34:21 UTC 2015 

I haven't seen any more discussion on this topic. It looks like since we
default to enabling SSL/TLS on deployments, there's no reason to block
access to public API endpoints.

On Fri, Nov 13, 2015 at 5:15 PM, Vladimir Kuklin <vkuklin at mirantis.com>
wrote:

> Adam
>
> I think, the answer is realtively simple - if user does not want to expose
> those APIs, he can easily configure his infra to filter this traffic. We
> just need to mention this in Ops Guide.
>
> On Fri, Nov 13, 2015 at 4:02 PM, Adam Heczko <aheczko at mirantis.com> wrote:
>
>> Hello fuelers,
>>
>> today I'd like to raise a questions about Fuel deployment practice
>> related to Public (external) network.
>> Current approach is to expose by default over public IP openstack API
>> endpoints like nova, cinder, glance, neutron etc. These API services are
>> exposed through HAProxy with TLS support, so this approach seems to be
>> relatively secure.
>> OTOH industry practice is to don't expose over public IPs too much and
>> rather rely on user action / decision to expose API access to the public.
>> I'd like to ask for your opinions regarding this topic and approach taken
>> by Fuel.
>>
>> Thank you,
>>
>> --
>> Adam Heczko
>> Security Engineer @ Mirantis Inc.
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Yours Faithfully,
> Vladimir Kuklin,
> Fuel Library Tech Lead,
> Mirantis, Inc.
> +7 (495) 640-49-04
> +7 (926) 702-39-68
> Skype kuklinvv
> 35bk3, Vorontsovskaya Str.
> Moscow, Russia,
> www.mirantis.com <http://www.mirantis.ru/>
> www.mirantis.ru
> vkuklin at mirantis.com
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151116/d5828bf9/attachment.html>

More information about the OpenStack-dev mailing list