[openstack-dev] [nova] Minimal secure identification of a new VM
Adam Young
ayoung at redhat.com
Tue Apr 5 22:00:55 UTC 2016
We have a use case where we want to register a newly spawned Virtual
machine with an identity provider.
Heat also has a need to provide some form of Identity for a new VM.
Looking at the set of utilities right now, there does not seem to be a
secure way to do this. Injecting files does not provide a path that
cannot be seen by other VMs or machines in the system.
For our use case, a short lived One-Time-Password is sufficient, but for
others, I think asymmetric key generation makes more sense.
Is the following possible:
1. In cloud-init, the VM generates a Keypair, then notifies the No0va
infrastructure (somehow) that it has done so.
2. Nova Compute reads the public Key off the device and sends it to
conductor, which would then associate the public key with the server?
3. A third party system could then validate the association of the
public key and the server, and build a work flow based on some signed
document from the VM?
More information about the OpenStack-dev
mailing list