[openstack-dev] SSL in Common client
Rob Crittenden
rcritten at redhat.com
Fri May 2 19:06:04 UTC 2014
TL;DR
Work is happening on a unified client library. This provides the
opportunity to rework the way SSL options are handled. Can we discuss
this in one of the sessions at the Atlanta Summit in a few weeks?
https://blueprints.launchpad.net/oslo/+spec/common-client-library-2
outlines a path to a common client library in OpenStack. It is still a
work-in-progress though most projects have some amount included already
in openstack/common/apiclient
If you have some time and aren't familiar with this project, this thread
will bring you up to speed:
http://lists.openstack.org/pipermail/openstack-dev/2014-January/024441.html
Parallel to this effort was
https://wiki.openstack.org/wiki/SecureClientConnections which outlined
an effort to replace httplib{2} with requests which is mostly complete
with the exception of neutronclient and glanceclient which still use
httplib.
I'm trying to get devstack to the point where it can configure all the
services with SSL so it can be be part of the acceptance process. This
is for client communication, there is no expectation that anyone would
deploy native SSL endpoints. For the most part things just work. Most of
the issues I've run into are server to server communication relating to
passing in the CA certificate path.
This leads to two interrelated questions:
1. Given the common client, how much should be done in the interim to
clean things up?
2. How will configuration options be handled for server to server
communication?
Right now each project has its own local copy of the common client but
only exceptions are being used. Is there any guess on how soon the
common HTTP client can be in place? This may drive how much effort is
expended trying to clean up the existing client code.
There are significant, probably well-known differences between the
clients, and in the options available to clients used within several
servers to communicate as clients to other servers (e.g. nova to glance).
Here is a brief taste of what I'm talking about:
heatclient defines get_system_ca_file() which will use the system bundle
as a fallback. It is the only client project that does this.
Heat seems to have the most expansive set of configuration options,
providing a global clients section and service-specific
clients_<service> set of options. See
https://github.com/openstack/heat/blob/master/etc/heat/heat.conf.sample#L589
. It was suggested that this be considered for nova as well.
The nova team is working to consolidate the available CA options into a
single one in https://bugs.launchpad.net/nova/+bug/1299841 but leaves
behind the separate options for insecure connections.
Disabling SSL compression is important to swift and glance and their
clients provide a way to disable it, and each server that calls these
typically have configuration options to manage it (why there are even
options is unclear since the glance and swift server teams really want
this disabled).
How SSL is handled in the configuration files is separate from the
Common Client blueprint. Will there continue to be separate options for
insecure, ssl_compression and ca_certificates or will there be a single,
common option set somewhere, or a mixed bag?
How flexible do the CA certificates need to be? Given the distributed
nature of OpenStack, and the fact that some endpoints may be internal
and others external facing, it might seem reasonable to have separate
options for each service. It is also confusing and repetitive. The
heatclient get_system_ca_file() seems to be the way to go, along with an
override in the service configuration file.
That doesn't really handle compression or insecure though, which still
probably need to be per-service.
I think the heat/heatclient approach is the best, coupled with good
defaults in the common client. I think it should look like:
Common client:
ca_certificates = get_system_ca_file()
insecure = False
ssl_compression = False
Ideally the system CA is configured correctly so there is nothing to do
in the client except pass in a https endpoint.
Each server uses the heat method and defines:
[ client ] (most likely always empty)
[ client_<service> ]
I see are three possible options
ca_certificates_file = /path/to/file
insecure = Boolean
ssl_compression = Boolean
This is the most flexible setup but how one documents it without
confusing people I'm not entirely sure. I think the sample configuration
files should have the entire sections commented out, and heavily, that
these are for overrides only, and only when needed.
Backwards compatibility will be an issue, though the old options can be
deprecated and eventually removed. Or a script can probably be used to
migrate options to the new format.
rob
More information about the OpenStack-dev
mailing list