Open Stack

On 10/27/2012 04:28 PM, Gabriel Hurley wrote:
> Are you advocating enabling SSl just for Keystone? Or for all services?

I was just talking Keystone.  I think that we probably need SSL between 
all services, and Horizon should certainly be protected via SSL in a 
public deployment, but not necessarily for development:  I think that 
*not* teaching people to click through the SSL options on Horizon is a 
good thing, too.

> I don't think you are (and hope you're not) advocating enabling it by default for Horizon since browsers will throw up the red "untrusted certificate" page and I don't want to train people to click through that.
>
> Moreover, though most of the clients support certificate checking, only some of the clients (keystoneclient included) support checking against a user-specified certificate.

Yes, we will do that as part of this effort.  An Openstack deployment 
should have all certs under a single CA, something worth doing as part 
of Devstack.

> I'm in favor of the work being done to bring all the clients into line there; I'm just putting it forward that right now it's not all there to the best of my knowledge.
>
>      - Gabriel
>
>> -----Original Message-----
>> From: Adam Young [mailto:ayoung at redhat.com]
>> Sent: Friday, October 26, 2012 6:17 PM
>> To: OpenStack Development Mailing List
>> Subject: [openstack-dev] SSL and devstack
>>
>> Although SSL in Python is slow, we really should enable it in devstack from
>> here on out.  My understanding is that people with live deployments front
>> Keystone with some other SSL terminator.  We should thus plan on running
>> the python-keystoneclient code through SSL by default to make sure all SSL
>> issues are shaken out.
>>
>> If you run keystone-manage --pki_setup  it generates a CA certificate for
>> you.  This is done by default in devstack, in order to get pki tokens to work.
>> However, there are no SSL certifcates provided.  The config documentation
>> states: "a set of sample certficates is provided in the examples/ssl directory
>> with the Keystone distribution for testing."  However, it uses a different CA
>> than the one in the test/signing, so there is no one set of certificates we can
>> provide.
>>
>> I think I would like to add an additional option to the keystone-manage
>> CLI: --ssl_setup. What I would like to do is gather what the requirements for
>> this should be.  To start:
>>
>> 1. If no CA is in the path indicated by the config file, generate a self signed
>> one.  The assumption is that this code will be common between pki and ssl
>> setup.
>> 2. Use the CA from the above path to sign the ssl certificate.
>>
>> I am assuming that most organizations large enough to have Open Stack have
>> their own Public Key Infrastructure.  Thus, the self signed CA and SSL cert
>> should not be the norm.  WHat I am wondering is if there is anything we
>> should be doing.  For those cases.  There is no standard for remotely
>> submitting a Certificate Signing Request (CSR) and getting back a signed
>> certificate.  We can generate a csr based on the hostname of the machine,
>> and that way we know that the certificate is formatted for SSL, but is it really
>> better to write a tool to do this (it is goingto be done once very year or there
>> about) or just point the users at decent documentation about how to do it
>> themselves?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev