[Openstack-operators] OpenStack Security and Administrative Users

Adam Young ayoung at redhat.com
Thu May 22 04:07:37 UTC 2014

On 05/21/2014 01:49 PM, Mathieu Gagné wrote:
> Hi operators,
> (welcome back from the OpenStack Summit for those I had the chance to 
> meet)
> The OpenStack Security Guide includes some guidelines on how to harden 
> the security of administrative users.
> OpenStack Security Guide (May 21, 2014) on page 81:
>> Administrative users
>> We recommend that admin users authenticate using Identity Service and
>> an external authentication service that supports 2-factor 
>> authentication,
>> such as a certificate. This reduces the risk from passwords that may be
>> compromised. This recommendation is in compliance with NIST 800-53
>> IA-2(1) guidance in the use of multi factor authentication for network
>> access to privileged accounts.
> Can someone provide a reference or documentation on how to accomplish 
> such hardening?
> My concern is that such hardening would:
> - Force ALL users to provide a client certificate if this config is in 
> keystone.conf:
No.  I think that there is no way to say "user cannot authenticate with 
Password"  but you could do  X509 Client cert authentication via mod_nss 
or mod_ssl, and map that users ID to REMOTE_USER, and use the external 
login. They would have a separate Auth URL,

Note that this kindof implies HTTPD.  It might be possible to do this in 
Eventlet, but Python is really poor at doing cryptography, and adding a 
single threaded web server to the mix is probably going to perform poorly.

I'd love it if Admin users could use X509 and/orKerberos across the 
board, but there is not yet support for Kerberos in the clients. That is 
changing soon, though.

>   [token]
>   enforce_token_bind = required  # or x509
Token bind is something different, not for this.
> - Not prevent an administrative user to come up without a valid client 
> certificate if this config is in keystone.conf:
>   [token]
>   enforce_token_bind = permissive
> Or is the actual implementation of the recommendation left as an 
> exercise to the reader? In that case, as an operator, although those 
> recommendations are good to know, they are near impossible to 
> implement without the help of a knowledgeable developer.
> On the other hand, what are you guys doing to protect your 
> administrative and service users from being compromised through the 
> public API?

More information about the OpenStack-operators mailing list