[Openstack-operators] Restricting API access as "admin" users based on network
matt at nycresistor.com
Tue Oct 21 17:00:19 UTC 2014
my guess is horizon admin panels would bomb out... but it would be trivial
to replace the admin panels with a warning page.
On Tue, Oct 21, 2014 at 10:23 AM, Adam Young <ayoung at redhat.com> wrote:
> On 10/20/2014 12:11 AM, Tim Goddard wrote:
>> Hello all,
>> We have an established OpenStack cloud and as part of a round of security
>> hardening would like to add some additional restrictions on the use of
>> In particular, we would like to limit it so that API endpoints requiring
>> access can only be used from a VPN (known range of source IP addresses).
>> We do
>> not want the public-facing APIs to expose these endpoints, even to users
>> the right credentials.
>> Has anyone already been through a similar process and have a method or
>> for us to follow?
> From a Keystone perspective, what you want to do is to user the "admin"
> and "main
> configuration to have each mapped to different interfaces on the HTTPD
> server machine don't try to do this with Eventlet, as Eventlet alone
> doesn't support it.
> You'll have to decide what you want to do about Horizon, as the Admin
> operations on Keystone from Horizon are RBAC controlled. You could run two
> different Horizon instances, one internal and one external, and give each a
> seaprate Auth URL. Then the Admin port would be hidden from Horizon, but I
> think the admin fields wouls still show up on the Horizon portal, just be
> non-functional. I'll let some Horizon folks chime in with how to deal with
> Unfortunately, each service defines these things a little differntly, and
> not all fo them run in Eventlet. For the ones that run in Eventlet, you'll
> need to use some form of termination in front of them to bind to different
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators