[openstack-dev] [quantum] RPC communication agent to quantum server

Eric Windisch eric at cloudscaling.com
Tue Feb 5 14:47:23 UTC 2013




On Tuesday, February 5, 2013 at 06:19 AM, Gary Kotton wrote:

> On 02/05/2013 04:52 AM, Dan Wendlandt wrote: 
> > 
> > On Mon, Feb 4, 2013 at 8:02 AM, Ravi Chunduru <ravivsn at gmail.com (mailto:ravivsn at gmail.com)> wrote:
> > > Thanks Gary. 
> > > 
> > > I feel RPC should use keystone authentication else it is a security concern. 
> > 
> > My understanding is that depending on your config, certain of the message bus services used by openstack projects for RPC support basic auth, but I was not aware of any that used keystone. Keystone is generally used for authenticating access to the openstack rest APIs, either by tenants, admins, or others services (e.g., nova calling quantum). 
> 
> Dan, you are correct. Keystone is not used with the RPC.
> 
> If the RPC is a concern then there is an configuration option to set this as encrypted. I have never tried it...

As Gary implied, there is SSL support for RabbitMQ and Kombu. This provides confidentiality, but not confidence.

I own a blueprint to implement signed messaging over RPC to provide confidence. However, it is at risk of missing the window for Grizzly. It is being actively worked on, but we got a late start.

Regards,
Eric Windisch






More information about the OpenStack-dev mailing list