Open Stack

On 06/11/2012 13:35, Russell Bryant wrote:

>
> I think we need machine-based signing.  Really, I want machine+role signing.
>
> Some things I'd like to be able to do ...
>
> 1) I want to ensure that only the nova-scheduler service is allowed to
> tell nova-compute services to start a new VM.  Services of another type
> should not be allowed to do this.  Role-based signing would cover this case.


We already have open source code that provides this functionality based 
on X.509 ACs i.e.
i) assign a role securely to an entity
ii) grant an entity the right to do something based on its role

>
> 2) We are in the middle of some work to remove database access from
> nova-compute.  This will likely result in having another service that
> nova-compute works with to get instance state updated as needed.  I'd
> like to be able to ensure that only the nova-compute service hosting a
> given instance can affect that instance's information in the database.
> I do not want another nova-compute service (on a potentially compromised
> host) able to change important details about the instance.  Role-based
> signing is not enough to enforce that.
>

You can do this with role based authz using a PDP that supports 
conditional rules such as
Grant role nova-compute permission to update instance information IF DN 
requester = DN nova host
where you get the DNs from the PKCs of the entities.

regards

David