[openstack-dev] [nova][keystone] Message Queue Security

Simo Sorce simo at redhat.com
Tue Apr 30 12:36:06 UTC 2013


On Tue, 2013-04-30 at 13:34 +0100, Mark McLoughlin wrote:
> On Tue, 2013-04-30 at 08:27 -0400, Simo Sorce wrote:
> > On Tue, 2013-04-30 at 12:03 +0100, Mark McLoughlin wrote:
> > > Hi Simo,
> > > 
> > > On Thu, 2013-04-25 at 08:37 -0400, Simo Sorce wrote:
> > > > Hello list,
> > > > at the Summit we had a very interesting and productive discussion about
> > > > Message Signing/Encryption for RPC Messages sent via the Message Queue.
> > > > 
> > > > I would like to present a proposal that uses symmetric keys and a
> > > > central key server to address the problem:
> > > > 
> > > > https://wiki.openstack.org/wiki/MessageSecurity
> > > > 
> > > > I would really like to get feedback on the proposal, especially if there
> > > > are corner cases I have not considered.
> > > 
> > > I admit I haven't spent much time considering all aspects of this, but
> > > from a high level I like the idea and your diligence.
> > > 
> > > I'm working on a proposal for a redesign of the messaging API:
> > > 
> > >   https://wiki.openstack.org/wiki/Oslo/Messaging
> > > 
> > > I don't think this will affect your design in any way, and I don't think
> > > your proposal changes the API design ... so that's all goodness.
> > > 
> > > One thing I've just realized we haven't taken into account is
> > > notifications. There's probably a lot of value (to ceilometer at least,
> > > I'd imagine) in using public-key encryption to sign those messages since
> > > they are being broadcast to the world and there's no concept of the
> > > sender knowing who the message is being sent to.
> > > 
> > > Maybe solving the notification signing issue is orthogonal to RPC
> > > signing and encryption, but had you any thoughts on it?
> > 
> > I was under the impression that broadcasting to the world is a bad idea.
> 
> Ok, "broadcasting on a message bus that requires credentials to access".
> 
> An example would be a cloud operators fault analysis tool listening on
> the bus for error events, applying some logic and alerting the right
> people.

I think just for detection you could simply ignore signing and rely on
the message queue ?
Do you need to protect from spoofing for this task ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the OpenStack-dev mailing list