[Openstack] Trove Shadow Tenant

Sergio Morales Acuña semoac at gmail.com
Mon Feb 6 01:53:35 UTC 2017 

Thanks you all for your answers.

I'm working with Trove on a Public Cloud and we have a separate RabbitMQ
Cluster just for Trove.

I now understand that the use of a "shadow tenant" it's a very specific
implementation of Trove.

Today, the only security concern we have is the rabbitmq password  in the
trove-gustagent.conf file. We are also testing the use of two ramdisks
(tmpfs) for the /etc/trove/conf.d files and the "cloud-init" files inside
the guest image to minimize the risk.

Cheer and once again thank you for your answers.

El dom., 5 feb. 2017 a las 19:22, Mark Kirkwood (<
mark.kirkwood at catalyst.net.nz>) escribió:

> Hi Sergio,
>
> With respect to the rabbit security - you can (and probably should) use
> a different rabbit server for the trove message queue i.e not your
> openstack rabbit. I *think* this is mentioned in the trove deployment
> docs these days (it didn't used to be), and it is easy to miss wherever
> it is mentioned! However this by itself is not enough really - as your
> trove rabbit can be dos'd/hacked to cause mayhem to all running trove
> instances.
>
>
> The shadow tenant seems like the plan. However you are absolutely
> correct - how to actually set it up is...err not that well documented.
> I've made a comment on one of the various blogs to that effect. I'm
> hoping it will spur one of the experts to show us in detail how it is
> done :-)
>
>
> regards
>
>
> Mark
>
>
> On 04/02/17 05:42, Sergio Morales Acuña wrote:
> > Hi.
> >
> > I'm looking for information about the "Trove Shadow Tenant" feature.
> >
> > There some blogs talking about this but I can't find any information
> > about the configuration.
> >
> > I have a working implementation of Trove but the instance is created
> > in the same project as the user requesting the database. This is a
> > problem for me because the user can create a snapshot of the instance
> > and capture the RabbitMQ password.
> >
> > I tried  a non-admin credentials for nova_proxy_*, but the instance is
> > still been created in the user project. I'm using the branch
> > stable/newton.
> >
> > Cheers.
> >
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170206/b4754a9f/attachment.html>

More information about the Openstack mailing list