<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 5, 2016 at 2:45 PM, Fox, Kevin M <span dir="ltr"><<a href="mailto:Kevin.Fox@pnnl.gov" target="_blank">Kevin.Fox@pnnl.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
This sounds suspiciously like, "how do you get a secret to the instance to get a secret from the secret store" issue.... :)<br></div></blockquote><div>Yeah, sounds pretty familiar. We were using the nova hooks mechanism for this means, but it was deprecated recently. So bummer :/ <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
<br>
Nova instance user spec again?<br>
<br>
Thanks,<br>
Kevin <b>
<div><font face="Tahoma" size="2" color="#000000"> </font></div>
</b>
<hr>
<font face="Tahoma" size="2"><b>From:</b> Juan Antonio Osorio<br>
<b>Sent:</b> Tuesday, April 05, 2016 4:07:06 AM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [TripleO] FreeIPA integration<br>
</font><div><div class="h5"><br>
<div></div>
<div>
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Apr 5, 2016 at 11:36 AM, Steven Hardy <span dir="ltr">
<<a href="mailto:shardy@redhat.com" target="_blank">shardy@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>On Sat, Apr 02, 2016 at 05:28:57PM -0400, Adam Young wrote:<br>
> I finally have enough understanding of what is going on with Tripleo to<br>
> reasonably discuss how to implement solutions for some of the main security<br>
> needs of a deployment.<br>
><br>
><br>
> FreeIPA is an identity management solution that can provide support for:<br>
><br>
> 1. TLS on all network communications:<br>
> A. HTTPS for web services<br>
> B. TLS for the message bus<br>
> C. TLS for communication with the Database.<br>
> 2. Identity for all Actors in the system:<br>
> A. API services<br>
> B. Message producers and consumers<br>
> C. Database consumers<br>
> D. Keystone service users<br>
> 3. Secure DNS DNSSEC<br>
> 4. Federation Support<br>
> 5. SSH Access control to Hosts for both undercloud and overcloud<br>
> 6. SUDO management<br>
> 7. Single Sign On for Applications running in the overcloud.<br>
><br>
><br>
> The main pieces of FreeIPA are<br>
> 1. LDAP (the 389 Directory Server)<br>
> 2. Kerberos<br>
> 3. DNS (BIND)<br>
> 4. Certificate Authority (CA) server (Dogtag)<br>
> 5. WebUI/Web Service Management Interface (HTTPD)<br>
><br>
> Of these, the CA is the most critical. Without a centralized CA, we have no<br>
> reasonable way to do certificate management.<br>
><br>
> Now, I know a lot of people have an allergic reaction to some, maybe all, of<br>
> these technologies. They should not be required to be running in a<br>
> development or testbed setup. But we need to make it possible to secure an<br>
> end deployment, and FreeIPA was designed explicitly for these kinds of<br>
> distributed applications. Here is what I would like to implement.<br>
><br>
> Assuming that the Undercloud is installed on a physical machine, we want to<br>
> treat the FreeIPA server as a managed service of the undercloud that is then<br>
> consumed by the rest of the overcloud. Right now, there are conflicts for<br>
> some ports (8080 used by both swift and Dogtag) that prevent a drop-in run<br>
> of the server on the undercloud controller. Even if we could deconflict,<br>
> there is a possible battle between Keystone and the FreeIPA server on the<br>
> undercloud. So, while I would like to see the ability to run the FreeIPA<br>
> server on the Undercloud machine eventuall, I think a more realistic<br>
> deployment is to build a separate virtual machine, parallel to the overcloud<br>
> controller, and install FreeIPA there. I've been able to modify Tripleo<br>
> Quickstart to provision this VM.<br>
<br>
</div>
</div>
IMO these services shouldn't be deployed on the undercloud - we only<br>
support a single node undercloud, and atm it's completely possible to take<br>
the undercloud down without any impact to your deployed cloud (other than<br>
losing the ability to manage it temporarily).<br>
</blockquote>
<div>This is fair enough, however, for CI purposes, would it be acceptable to deploy it there? Or where do you recommend we have it?
<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
These auth pieces all appear critical to the operation of the deployed<br>
cloud, thus I'd assume you really want them independently managed (probably<br>
in an HA configuration on multiple nodes)?<br>
<br>
So, I'd say we support one of:<br>
<br>
1. Document that FreeIPA must exist, installed by existing non-TripleO<br>
tooling<br>
<br>
2. Support a heat template (in addition to overcloud.yaml) that can deploy<br>
FreeIPA.<br>
<br>
I feel like we should do (1), as it fits better with the TripleO vision<br>
(which is to deploy OpenStack), and it removes the need for us to maintain<br>
a bunch of non-openstack stuff.<br>
<br>
The path I'm imagining is we have a documented integration with FreeIPA,<br>
and perhaps some third-party CI, but we don't support deploying these<br>
pieces directly via TripleO.</blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span><br>
> I was also able to run FreeIPA in a container on the undercloud machine, but<br>
> this is, I think, not how we want to migrate to a container based strategy.<br>
> It should be more deliberate.<br>
><br>
><br>
> While the ideal setup would be to install the IPA layer first, and create<br>
> service users in there, this produces a different install path between<br>
> with-FreeIPA and without-FreeIPA. Thus, I suspect the right approach is to<br>
> run the overcloud deploy, then "harden" the deployment with the FreeIPA<br>
> steps.<br>
<br>
</span>I think we should require the IPA layer to be installed first - I mean<br>
isn't it likely in many (most?) production environments that these services<br>
already exist?<br>
<br>
This simplifies things, because then you just pass inputs from the existing<br>
proven IPA environment in as a tripleo/heat environment file - same model<br>
we already support for all kinds of vendor integration, SSL etc etc.<br>
<span><br>
> The IdM team did just this last summer in preparing for the Tokyo summit,<br>
> using Ansible and Packstack. The Rippowam project<br>
> <a href="https://github.com/admiyo/rippowam" rel="noreferrer" target="_blank">https://github.com/admiyo/rippowam</a> was able to fully lock down a Packstack<br>
> based install. I'd like to reuse as much of Rippowam as possible, but<br>
> called from Heat Templates as part of an overcloud deploy. I do not really<br>
> want to re implement Rippowam in Puppet.<br>
><br>
> So, big question: is Heat->ansible (instead of Puppet) for an overcloud<br>
> deployment an acceptable path? We are talking Ansible 1.0 Playbooks, which<br>
> should be relatively straightforward ports to 2.0 when the time comes.<br>
<br>
</span>In short, no. I don't see how you can do the hardening with ansible,<br>
unless you're proposing to reimplement the entire overcloud deployment in<br>
the same tool.<br>
<br>
The data required to configure the OpenStack services should be passed in<br>
via an environment file, e.g<br>
<br>
openstack overcloud deploy --templates -e ipa-params.yaml<br>
<br>
Then all the data from ipa-params.yaml should be mapped into hieradata<br>
which puppet then uses to configure the OpenStack services appropriately -<br>
this is the same model we support for integration with everything atm.<br>
<br>
While it's technically possible to configure an overcloud, then reconfigure<br>
it with some other tool (or even manually), you get the worst of all worlds<br>
doing this - you modify things out-of-band (from a TripleO perspective) so<br>
that all your changed get destroyed every overcloud update, and you run the<br>
risk of "config management split brain" where e.g puppet configures a<br>
service disabled, then ansible starts it or whatever.<br>
<span><br>
> Thus, the sequence would be:<br>
><br>
> 1. Run existing overcloud deploy steps.<br>
> 2. Install IPA server on the allocated VM<br>
> 3. Register the compute nodes and the controller as IPA clients<br>
> 4. Convert service users over to LDAP backed services, complete with<br>
> necessary kerberos steps to do password-less authentication.<br>
> 5. Register all web services with IPA and allocate X509 certificates for<br>
> HTTPS.<br>
> 6. Set up Host based access control (HBAC) rules for SSH access to overcloud<br>
> machines.<br>
<br>
</span>This should be:<br>
<br>
1. Install and validate IPA server $somewhere<br>
2. Generate environment file with parameters (this could be automated)<br>
3. Install overcloud passing in environment file with IPA $stuff<br>
4. Done<br>
</blockquote>
<div>This is an acceptable solution IMO and was according to what I was thinking. It will also be easier to setup the overcloud with FreeIPA specific configurations once we have the composable services work done.<br>
<br>
</div>
<div>To me, the biggest interrogation is what the value of that $somewhere is. To me, for testing purposes it seemed acceptable to have FreeIPA running in the same node as the undercloud. And in production it would be a separate node (or set of nodes).
<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Basically *anything* touching the overcloud configuration should happen via<br>
puppet in our current architecture, which I think means (4) and (5).<br>
<br>
I'm less clear about (3) - this sounds like an IPA admin action, can it be<br>
done before deploying the overcloud, or do we need each node to register<br>
itself?<br>
</blockquote>
<div>The nodes need to get the IPA client installation which pretty much involves enrollment. For this, they need to have some type of credentials. So this is the main thing Rob is working towards. To have a safe method to pass credentials to the nodes, and
have them autoregister to FreeIPA. <br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Similarly not sure about (6), probably need more info about what that<br>
entails.<br>
<span><br>
> When we did the Rippowam demo, we used the Proton driver and Kerberos for<br>
> securing the message broker. Since Rabbit seems to be the tool of choice,<br>
> we would use X509 authentication and TLS for encryption. ACLs, for now,<br>
> would stay in the flat file format. In the future, we might chose to use<br>
> the LDAP backed ACLs for Rabbit, as they seem far more flexible. Rabbit<br>
> does not currently support Kerberos for either authentication or encryption,<br>
> but we can engage the upstream team to implement it if desired in the<br>
> future, or we can shift to a Proton based deployment if Kerberos is<br>
> essential for a deployment.<br>
><br>
><br>
> There are a couple ongoing efforts that will tie in with this:<br>
><br>
> 1. Designate should be able to use the DNS from FreeIPA. That was the<br>
> original implementation.<br>
><br>
> 2. Juan Antonio Osorio has been working on TLS everywhere. The issue thus<br>
> far has been Certificate management. This provides a Dogtag server for<br>
> Certs.<br>
><br>
> 3. Rob Crittenden has been working on auto-registration of virtual machines<br>
> with an Identity Provider upon launch. This gives that efforts an IdM to<br>
> use.<br>
<br>
</span>Aha, this may be the answer to (3) above? E.g the discussion around nova<br>
hooks?<br>
<span><br>
> 4. Keystone can make use of the Identity store for administrative users in<br>
> their own domain.<br>
><br>
> 5. Many of the compliance audits have complained about cleartext passwords<br>
> in config files. This removes most of them. MySQL supports X509 based<br>
> authentication today, and there is Kerberos support in the works, which<br>
> should remove the last remaining cleartext Passwords.<br>
><br>
> I mentioned Centralized SUDO and HBAC. These are both tools that may be<br>
> used by administrators if so desired on the install. I would recommend that<br>
> they be used, but there is no requirement to do so.<br>
<br>
</span>Overall this sounds like a bunch of functionality we want, but I think the<br>
integration requires more discussion (possibly at summit?) - my main<br>
concern is that we integrate in a manner appropriate to our existing<br>
implementation, and that we don't inadvertently make the undercloud a<br>
mission-critical component, when it current is not. </blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Thanks,<br>
<br>
Steve<br>
<div>
<div><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr">
<div><font style="font-family:arial narrow,sans-serif;color:rgb(102,102,102)" size="2">Juan Antonio Osorio R.<br>
e-mail: <a href="mailto:jaosorior@gmail.com" target="_blank">jaosorior@gmail.com</a><br>
</font><font style="font-family:arial narrow,sans-serif;color:rgb(102,102,102)" size="2"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><font style="font-family:arial narrow,sans-serif;color:rgb(102,102,102)" size="2">Juan Antonio Osorio R.<br>e-mail: <a href="mailto:jaosorior@gmail.com" target="_blank">jaosorior@gmail.com</a><br></font><font style="font-family:arial narrow,sans-serif;color:rgb(102,102,102)" size="2"><br></font></div></div></div>
</div></div>