openstack/openstack-ansible
Code Issues Proposed changes

Docs: RabbitMQ/MariaDB least privilege

Browse Source 
This patch adds documentation to the overview section and it describes
how the principle of least privilege is used for MariaDB and RabbitMQ.

Closes-bug: 1495154

Change-Id: I02bfaa45636e1b088f356504da789c6b65ae9d10
This commit is contained in:
Major Hayden 2016-02-05 14:32:34 -06:00
parent 191f4c3890
commit 0e8b6e9655
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
doc/source/install-guide/overview-security.rst
View File

@ -55,6 +55,21 @@ operation of an OpenStack deployment.
Refer to the documentation on :ref:`security_hardening` for more information Refer to the documentation on :ref:`security_hardening` for more information
on the role and how to enable it in OpenStack-Ansible. on the role and how to enable it in OpenStack-Ansible.
Least privilege
~~~~~~~~~~~~~~~
The `principle of least privilege`_ is used throughout OpenStack-Ansible to
limit the damage that could be caused if an attacker gained access to a set of
credentials.
OpenStack-Ansible configures unique username and password combinations for
each service that talks to RabbitMQ and Galera/MariaDB. Each service that
connects to RabbitMQ uses a separate virtual host for publishing and consuming
messages. The MariaDB users for each service are only granted access to the
database(s) that they need to query.
.. _principle of least privilege: https://en.wikipedia.org/wiki/Principle_of_least_privilege
-------------- --------------
.. include:: navigation.txt .. include:: navigation.txt