[Openstack-operators] OpenStack Security and Administrative Users

Mathieu Gagné mgagne at iweb.com
Wed May 21 17:49:50 UTC 2014

Hi operators,

(welcome back from the OpenStack Summit for those I had the chance to meet)

The OpenStack Security Guide includes some guidelines on how to harden 
the security of administrative users.

OpenStack Security Guide (May 21, 2014) on page 81:

> Administrative users
> We recommend that admin users authenticate using Identity Service and
> an external authentication service that supports 2-factor authentication,
> such as a certificate. This reduces the risk from passwords that may be
> compromised. This recommendation is in compliance with NIST 800-53
> IA-2(1) guidance in the use of multi factor authentication for network
> access to privileged accounts.

Can someone provide a reference or documentation on how to accomplish 
such hardening?

My concern is that such hardening would:

- Force ALL users to provide a client certificate if this config is in 

   enforce_token_bind = required  # or x509

- Not prevent an administrative user to come up without a valid client 
certificate if this config is in keystone.conf:

   enforce_token_bind = permissive

Or is the actual implementation of the recommendation left as an 
exercise to the reader? In that case, as an operator, although those 
recommendations are good to know, they are near impossible to implement 
without the help of a knowledgeable developer.

On the other hand, what are you guys doing to protect your 
administrative and service users from being compromised through the 
public API?


More information about the OpenStack-operators mailing list