[Openstack] Messaging level auth
Mike Scherbakov
mihgen at gmail.com
Fri Sep 30 03:11:34 UTC 2011
Joshua,
your question scares me :)
Actually you can define user/pass for rabbitmq:
See in rpc/impl_kombu.py, which is used by default:
308 self.params = dict(hostname=FLAGS.rabbit_host,
309 port=FLAGS.rabbit_port,
310 userid=FLAGS.rabbit_userid,
311 password=FLAGS.rabbit_password,
312 virtual_host=FLAGS.rabbit_virtual_host)
But this seems to be not secured connection, since I don't see here usage of
SSL.
In rpc/impl_carrot.py:
66 params = dict(hostname=FLAGS.rabbit_host,
67 port=FLAGS.rabbit_port,
* 68 ssl=FLAGS.rabbit_use_ssl,*
69 userid=FLAGS.rabbit_userid,
70 password=FLAGS.rabbit_password,
71 virtual_host=FLAGS.rabbit_virtual_host)
but I never tried this carrot and don't know if it works.
Can someone else clarify the question? It seems important in terms of
security.
Thanks,
On Wed, Sep 21, 2011 at 2:20 PM, Joshua Harlow <harlowja at yahoo-inc.com>wrote:
> A quick security question.
>
> Is there any plan to force authentication/authorization of the rabbitmq
> messages?
>
> Right now it seems like keystone (tbd) will protect the
> external<->openstack layers but what about the openstack<->openstack layers.
>
> If someone got access to the rabbitmq it seems like without this kind of
> layer bad things could happen (create me 1000 nodes...).
>
> Has there been any thought in that area?
>
> -Josh
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
--
Mike Scherbakov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110929/d12afe37/attachment.html>
More information about the Openstack
mailing list