[Openstack-operators] Restricting API access as "admin" users based on network

Adam Young ayoung at redhat.com
Tue Oct 21 14:23:40 UTC 2014

On 10/20/2014 12:11 AM, Tim Goddard wrote:
> Hello all,
> We have an established OpenStack cloud and as part of a round of security
> hardening would like to add some additional restrictions on the use of "admin"
> permissions.
> In particular, we would like to limit it so that API endpoints requiring admin
> access can only be used from a VPN (known range of source IP addresses). We do
> not want the public-facing APIs to expose these endpoints, even to users with
> the right credentials.
> Has anyone already been through a similar process and have a method or advice
> for us to follow?
 From a Keystone perspective, what you want to do is to user the "admin" 
and "main
  configuration to have each mapped to different interfaces on the HTTPD 
server machine don't try to do this with Eventlet, as Eventlet alone 
doesn't support it.

You'll have to decide what you want to do about Horizon, as the Admin 
operations on Keystone from Horizon are RBAC controlled.  You could run 
two different Horizon instances, one internal and one external, and give 
each a seaprate Auth URL.  Then the Admin port would be hidden from 
Horizon, but I think the admin fields wouls still show up on the Horizon 
portal, just be non-functional.  I'll let some Horizon folks chime in 
with how to deal with that.

Unfortunately, each service defines these things a little differntly, 
and not all fo them run in Eventlet. For the ones that run in Eventlet, 
you'll need to use some form of termination in front of them to bind to 
different interfaces.

> Cheers,
> Tim
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list