[openstack-dev] [oslo][all] What would you like changed/fixed/new in oslo??

Ian Cordasco sigmavirus24 at gmail.com
Mon Mar 21 15:55:54 UTC 2016 

-----Original Message-----
From: Adam Young <ayoung at redhat.com>
Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Date: March 20, 2016 at 12:03:01
To: openstack-dev at lists.openstack.org <openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [oslo][all] What would you like changed/fixed/new in oslo??

> On 03/19/2016 11:33 PM, Joshua Harlow wrote:
> > Howday all,
> >
> > Just to start some conversation for the next cycle,
> >
> > I wanted to start thinking about what folks may like to see in oslo
> > (or yes, even what u dislike in any of the oslo libraries).
> >
> > For those who don't know, oslo[1] is a lot of libraries (27+) so one
> > of my complaints (and one I will try to help make better) is that most
> > people probably don't know what the different 'offerings' of these
> > libraries are or how to use them (docs, tutorials, docs, and more docs).
> >
> > I'll pick another pet-peeve of mine as a second one to get people
> > thinking.
> >
> > 2) The lack of oslo.messaging having a good security scheme (even
> > something basic as a hmac or signature that can be verified, this
> > scares the heck out of me what is possible over RPC) turned on by
> > default so I'd like to start figuring out how to get *something*
> > (basic == HMAC signature, or maybe advanced == barbican or ???)
>  
> Red Herring. We don't need HMAC. We need to make better use of the
> tools in Rabbit.
>  
> 1. Split the vhosts between notifications and control plan. The code
> is in place to do this already, but we need to update the configuration
> tools to make use of that.

I'd agree that this definitely makes sense.

> 2. Drop the default login and password. All services, and all compute
> nodes should get their own Rabbit user and an autogenerated password.
> Even better would be to use Client Certificate validaltion, but that
> requires a CA.

The OpenStack Ansible project already does this. I'd be surprised if the other deployment projects aren't already doing this. Besides I'm not certain this is something that oslo/oslo.messaging can enforce.

> 3. We desperately need a CA story.

Like Anchor (https://wiki.openstack.org/wiki/Security/Projects/Anchor, https://git.openstack.org/openstack/anchor)?

--  
Ian Cordasco

More information about the OpenStack-dev mailing list