[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

Matthew Thode prometheanfire at gentoo.org
Mon Nov 2 17:49:01 UTC 2015


On 11/02/2015 08:11 AM, Jesse Pretorius wrote:
> On 29 October 2015 at 12:43, Major Hayden <major at mhtx.net> wrote:
> 
>> On 10/29/2015 04:33 AM, McPeak, Travis wrote:
>>> The only potential security drawback is that we are introducing a new
>>> asset to protect.  If we create the tools that enable a deployer to
>>> easily create and administer a lightweight CA, that should add
>>> significant value to OpenStack, especially for smaller organizations
>>> that don't have experience running a CA.
>>
>> This is certainly true.  However, I'd like to solve for the use of
>> self-signed SSL certificates in openstack-ansible first.
>>
>> At the moment, each self-signed certificate for various services is
>> generated within each role.  The goal would be to make a CA at the
>> beginning and then allow roles to utilize another role/task to issue
>> certificates from that CA.  The CA would most likely be located on the
>> deployment host.
>>
>> Deployers who are very security conscious can provide keys, certificates,
>> and CA certificates in the deployment configuration and those will be used
>> instead of generating self-signed certificates.
>>
> 
> I would argue that self-signed certificates only provide an illusion of
> security and the tasks we have to generate and distribute them should be
> removed entirely. My thinking is that if a deployer wants to use
> self-signed certs, then the deployer can create them and provide their
> details as user-provided certs. That way we can do without a whole block of
> code and the dependency on memcache for distribution. This makes the
> decision to use the self-signed certs a more deliberate one and also takes
> care of the complexity of certificate distribution.
> 
> That said, I applaud the idea of using a CA role. There are a few in
> Ansible Galaxy, but I've found their implementations to be rather complex
> whereas I think they can be pretty simple. I have actually done a fair
> amount of work on the CA setup part of things in my not-yet-complete
> ansible-openvas role [1]. You are welcome to use this work as a starting
> base and develop a role which sets up a CA. The trouble I found when
> looking into how to do this properly was that there should be several CA's
> (one offline primary and more than one secondary which actually does the
> signing). This will mean that the role will require quite a bit of guidance
> for using it correctly and setting up a single CA or multi-CA environment.
> 
> Whether you develop a new role for the OpenStack-Ansible toolbox, or
> develop documentation for consuming an existing role in Ansible Galaxy, the
> concept is certainly welcome and would go a long way to simplifying a
> secure-by-default implementation of OpenStack.
> 
> [1]
> https://github.com/odyssey4me/ansible-openvas/blob/master/tasks/install_openssl_ca.yml
> 
> ---
> Jesse
> IRC: odyssey4me
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
I think doing a self signed CA can work fine, especially if the private
details are kept on the deployment host.  The specific scenario I
envision is that you provide a subca / key / passphrase to ansible and
ansible uses that info to generate certs/keys for distribution.  This is
similar to puppet's external CA setup I think.

-- 
-- Matthew Thode (prometheanfire)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151102/71b16a60/attachment.pgp>


More information about the OpenStack-dev mailing list