I haven't seen any more discussion on this topic. It looks like since we default to enabling SSL/TLS on deployments, there's no reason to block access to public API endpoints.
On Fri, Nov 13, 2015 at 5:15 PM, Vladimir Kuklin <vkuk...@mirantis.com> wrote: > Adam > > I think, the answer is realtively simple - if user does not want to expose > those APIs, he can easily configure his infra to filter this traffic. We > just need to mention this in Ops Guide. > > On Fri, Nov 13, 2015 at 4:02 PM, Adam Heczko <ahec...@mirantis.com> wrote: > >> Hello fuelers, >> >> today I'd like to raise a questions about Fuel deployment practice >> related to Public (external) network. >> Current approach is to expose by default over public IP openstack API >> endpoints like nova, cinder, glance, neutron etc. These API services are >> exposed through HAProxy with TLS support, so this approach seems to be >> relatively secure. >> OTOH industry practice is to don't expose over public IPs too much and >> rather rely on user action / decision to expose API access to the public. >> I'd like to ask for your opinions regarding this topic and approach taken >> by Fuel. >> >> Thank you, >> >> -- >> Adam Heczko >> Security Engineer @ Mirantis Inc. >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > Yours Faithfully, > Vladimir Kuklin, > Fuel Library Tech Lead, > Mirantis, Inc. > +7 (495) 640-49-04 > +7 (926) 702-39-68 > Skype kuklinvv > 35bk3, Vorontsovskaya Str. > Moscow, Russia, > www.mirantis.com <http://www.mirantis.ru/> > www.mirantis.ru > vkuk...@mirantis.com > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev