Open Stack

Dear all,

The short story that we want to move from login.launchpad.net to an infra
hosted solution at openstackid.org, so the plan is that infra team will
operate the service in the future. The advantage of this service over the
existing one, that it is directly connected with openstack.org profile
database, so this can be the basic source of profile and auth data for all
OpenStack services.

The service behind openstackid.org had been written by a third party, and
it is based on a PHP/Laravel framework. The source code is accessible at
https://github.com/openstack-infra/openstackid, and all of the deployment
scripts available at openstack-infra/system-config repo.

As this service will handle authentication and membership data, I want to
ask whether any of you as the member of openstack security team would like
to suggest some extra hardening or security related advice to lower the
possibly security risks of operating such a service.

We have several options in our mind:
a, put a simple cloudflare service in front of openstackid.org to filter
out well-known patterns as a hosted solution
b, put a mod_security hosted by Us and in front of openstackid.org
c, do a code-audit on the openstackid source code
d, trust-in the code and open up the service without any other security
consideration

I appreciate all your feedbacks in this topic.

Brgds,
  Marton Kiss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20141020/b6a0d476/attachment.html>