[openstack-dev] SSL in Common client

Adam Young ayoung at redhat.com
Fri May 2 19:14:16 UTC 2014


On 05/02/2014 03:06 PM, Rob Crittenden wrote:
> TL;DR
>
> Work is happening on a unified client library. This provides the 
> opportunity to rework the way SSL options are handled. Can we discuss 
> this in one of the sessions at the Atlanta Summit in a few weeks?
>
>

Good survey, thanks.

> https://blueprints.launchpad.net/oslo/+spec/common-client-library-2 
> outlines a path to a common client library in OpenStack. It is still a 
> work-in-progress though most projects have some amount included 
> already in openstack/common/apiclient
>
> If you have some time and aren't familiar with this project, this 
> thread will bring you up to speed: 
> http://lists.openstack.org/pipermail/openstack-dev/2014-January/024441.html
>
> Parallel to this effort was 
> https://wiki.openstack.org/wiki/SecureClientConnections which outlined 
> an effort to replace httplib{2} with requests which is mostly complete 
> with the exception of neutronclient and glanceclient which still use 
> httplib.
>
> I'm trying to get devstack to the point where it can configure all the 
> services with SSL so it can be be part of the acceptance process. This 
> is for client communication, there is no expectation that anyone would 
> deploy native SSL endpoints. For the most part things just work. Most 
> of the issues I've run into are server to server communication 
> relating to passing in the CA certificate path.
>
> This leads to two interrelated questions:
>
> 1. Given the common client, how much should be done in the interim to 
> clean things up?
> 2. How will configuration options be handled for server to server 
> communication?
>
> Right now each project has its own local copy of the common client but 
> only exceptions are being used. Is there any guess on how soon the 
> common HTTP client can be in place? This may drive how much effort is 
> expended trying to clean up the existing client code.
>
> There are significant, probably well-known differences between the 
> clients, and in the options available to clients used within several 
> servers to communicate as clients to other servers (e.g. nova to glance).
>
> Here is a brief taste of what I'm talking about:
>
> heatclient defines get_system_ca_file() which will use the system 
> bundle as a fallback. It is the only client project that does this.
I like this.  We should probably use it in Keystone.

>
> Heat seems to have the most expansive set of configuration options, 
> providing a global clients section and service-specific 
> clients_<service> set of options. See 
> https://github.com/openstack/heat/blob/master/etc/heat/heat.conf.sample#L589 
> . It was suggested that this be considered for nova as well.
Not surprised they have the best perspective, since they talk to just 
about every other service.

>
> The nova team is working to consolidate the available CA options into 
> a single one in https://bugs.launchpad.net/nova/+bug/1299841 but 
> leaves behind the separate options for insecure connections.
>
> Disabling SSL compression is important to swift and glance and their 
> clients provide a way to disable it, and each server that calls these 
> typically have configuration options to manage it (why there are even 
> options is unclear since the glance and swift server teams really want 
> this disabled).
>
Did swift leave this behind when they switched to Requests?


> How SSL is handled in the configuration files is separate from the 
> Common Client blueprint. Will there continue to be separate options 
> for insecure, ssl_compression and ca_certificates or will there be a 
> single, common option set somewhere, or a mixed bag?
>
> How flexible do the CA certificates need to be? Given the distributed 
> nature of OpenStack, and the fact that some endpoints may be internal 
> and others external facing, it might seem reasonable to have separate 
> options for each service. It is also confusing and repetitive. The 
> heatclient get_system_ca_file() seems to be the way to go, along with 
> an override in the service configuration file.
>
> That doesn't really handle compression or insecure though, which still 
> probably need to be per-service.
>
> I think the heat/heatclient approach is the best, coupled with good 
> defaults in the common client. I think it should look like:
>
> Common client:
>  ca_certificates = get_system_ca_file()
>  insecure = False
>  ssl_compression = False
>
> Ideally the system CA is configured correctly so there is nothing to 
> do in the client except pass in a https endpoint.
>
> Each server uses the heat method and defines:
>
>  [ client ] (most likely always empty)
>
>  [ client_<service> ]
>
> I see are three possible options
>
>   ca_certificates_file = /path/to/file
>   insecure = Boolean
>   ssl_compression = Boolean
>
>
> This is the most flexible setup but how one documents it without 
> confusing people I'm not entirely sure. I think the sample 
> configuration files should have the entire sections commented out, and 
> heavily, that these are for overrides only, and only when needed.
>
> Backwards compatibility will be an issue, though the old options can 
> be deprecated and eventually removed. Or a script can probably be used 
> to migrate options to the new format.


>
> rob
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list