[Openstack-operators] Restricting API access as "admin" users based on network

matt matt at nycresistor.com
Tue Oct 21 17:00:19 UTC 2014


my guess is horizon admin panels would bomb out... but it would be trivial
to replace the admin panels with a warning page.

-matt

On Tue, Oct 21, 2014 at 10:23 AM, Adam Young <ayoung at redhat.com> wrote:

> On 10/20/2014 12:11 AM, Tim Goddard wrote:
>
>> Hello all,
>>
>> We have an established OpenStack cloud and as part of a round of security
>> hardening would like to add some additional restrictions on the use of
>> "admin"
>> permissions.
>>
>> In particular, we would like to limit it so that API endpoints requiring
>> admin
>> access can only be used from a VPN (known range of source IP addresses).
>> We do
>> not want the public-facing APIs to expose these endpoints, even to users
>> with
>> the right credentials.
>>
>> Has anyone already been through a similar process and have a method or
>> advice
>> for us to follow?
>>
> From a Keystone perspective, what you want to do is to user the "admin"
> and "main
>  configuration to have each mapped to different interfaces on the HTTPD
> server machine don't try to do this with Eventlet, as Eventlet alone
> doesn't support it.
>
> You'll have to decide what you want to do about Horizon, as the Admin
> operations on Keystone from Horizon are RBAC controlled.  You could run two
> different Horizon instances, one internal and one external, and give each a
> seaprate Auth URL.  Then the Admin port would be hidden from Horizon, but I
> think the admin fields wouls still show up on the Horizon portal, just be
> non-functional.  I'll let some Horizon folks chime in with how to deal with
> that.
>
> Unfortunately, each service defines these things a little differntly, and
> not all fo them run in Eventlet. For the ones that run in Eventlet, you'll
> need to use some form of termination in front of them to bind to different
> interfaces.
>
>
>
>
>> Cheers,
>>
>> Tim
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20141021/33e75b41/attachment.html>


More information about the OpenStack-operators mailing list