[openstack-dev] [nova] Minimal secure identification of a new VM
harlowja at fastmail.com
Wed Apr 6 00:58:27 UTC 2016
Adam Young wrote:
> We have a use case where we want to register a newly spawned Virtual
> machine with an identity provider.
> Heat also has a need to provide some form of Identity for a new VM.
> Looking at the set of utilities right now, there does not seem to be a
> secure way to do this. Injecting files does not provide a path that
> cannot be seen by other VMs or machines in the system.
> For our use case, a short lived One-Time-Password is sufficient, but for
> others, I think asymmetric key generation makes more sense.
> Is the following possible:
> 1. In cloud-init, the VM generates a Keypair, then notifies the No0va
> infrastructure (somehow) that it has done so.
So this can be somewhat done already:
But unsure what endpoint u want that thing to call (and the data it
sends might need to be tweaked); and said calling a URL might need
https, which then begs the question of what certs and stuff is https
using to ensure its calling a URL that is 'really nova'.
> 2. Nova Compute reads the public Key off the device and sends it to
> conductor, which would then associate the public key with the server?
> 3. A third party system could then validate the association of the
> public key and the server, and build a work flow based on some signed
> document from the VM?
Seems like a useful idea, if we can figure out how to do it.
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
More information about the OpenStack-dev