On 06/04/16 03:09, Adam Young wrote: > On 04/05/2016 08:02 AM, Hayes, Graham wrote: >> On 02/04/2016 22:33, Adam Young wrote: >>> I finally have enough understanding of what is going on with Tripleo to >>> reasonably discuss how to implement solutions for some of the main >>> security needs of a deployment. >>> >>> >>> FreeIPA is an identity management solution that can provide support for: >>> >>> 1. TLS on all network communications: >>> A. HTTPS for web services >>> B. TLS for the message bus >>> C. TLS for communication with the Database. >>> 2. Identity for all Actors in the system: >>> A. API services >>> B. Message producers and consumers >>> C. Database consumers >>> D. Keystone service users >>> 3. Secure DNS DNSSEC >>> 4. Federation Support >>> 5. SSH Access control to Hosts for both undercloud and overcloud >>> 6. SUDO management >>> 7. Single Sign On for Applications running in the overcloud. >>> >>> >>> The main pieces of FreeIPA are >>> 1. LDAP (the 389 Directory Server) >>> 2. Kerberos >>> 3. DNS (BIND) >>> 4. Certificate Authority (CA) server (Dogtag) >>> 5. WebUI/Web Service Management Interface (HTTPD) >>> >> <snip> >> >>> >>> There are a couple ongoing efforts that will tie in with this: >>> >>> 1. Designate should be able to use the DNS from FreeIPA. That was the >>> original implementation. >> Designate cannot use FreeIPA - we haven't had a driver for it since >> Kilo. >> >> There have been various efforts since to support FreeIPA, but it >> requires that it is the point of truth for DNS information, as does >> Designate. >> >> If FreeIPA supported the traditional Notify and Zone Transfer mechanisms >> then we would be fine, but unfortunately it does not. >> >> [1] Actually points out that the goal of FreeIPA's DNS integration >> "... is NOT to provide general-purpose DNS server. Features beyond >> easing FreeIPA deployment and maintenance are explicitly out of scope." >> >> 1 - http://www.freeipa.org/page/DNS#Goals > > > Lets table that for now. No reason they should not be able to > interoperate somehow.
Without work being done by FreeIPA (to enable the XFR interface on the bind server) or us (Designate) re-designing our DNS Driver interface they will not be able to inter-operate. >> >> >>> 2. Juan Antonio Osorio has been working on TLS everywhere. The issue >>> thus far has been Certificate management. This provides a Dogtag server >>> for Certs. >>> >>> 3. Rob Crittenden has been working on auto-registration of virtual >>> machines with an Identity Provider upon launch. This gives that efforts >>> an IdM to use. >>> >>> 4. Keystone can make use of the Identity store for administrative users >>> in their own domain. >>> >>> 5. Many of the compliance audits have complained about cleartext >>> passwords in config files. This removes most of them. MySQL supports >>> X509 based authentication today, and there is Kerberos support in the >>> works, which should remove the last remaining cleartext Passwords. >>> >>> I mentioned Centralized SUDO and HBAC. These are both tools that may be >>> used by administrators if so desired on the install. I would recommend >>> that they be used, but there is no requirement to do so. >>> >>> >>> >>> >>> >>> >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev