diff --git a/doc/source/install-guide/configure-haproxy.rst b/doc/source/install-guide/configure-haproxy.rst index 9d79b9e8b7..f92a8ef2ec 100644 --- a/doc/source/install-guide/configure-haproxy.rst +++ b/doc/source/install-guide/configure-haproxy.rst @@ -8,12 +8,18 @@ OpenStack-Ansible. The default HAProxy configuration provides highly-available load balancing services via keepalived if there are more than one hosts in the ``haproxy_hosts`` group. +.. note:: + + Deployers must review the services exposed by HAProxy and **must limit access + to these services to trusted users and networks only**. For more details, + refer to the :ref:`least-access-openstack-services` section. + .. note:: A load balancer is required for a successful installation. Deployers may prefer to make use of hardware load balancers instead of haproxy. If hardware - load balancers are used then the load balancing configuration for services must - be implemented prior to executing the deployment. + load balancers are used then the load balancing configuration for services + must be implemented prior to executing the deployment. To deploy HAProxy within your OpenStack-Ansible environment, define target hosts which should run HAProxy: diff --git a/doc/source/install-guide/overview-security.rst b/doc/source/install-guide/overview-security.rst index 764722ce64..7148b89658 100644 --- a/doc/source/install-guide/overview-security.rst +++ b/doc/source/install-guide/overview-security.rst @@ -11,8 +11,6 @@ Security requirements will always differ between deployers. For deployers that need additional security measures in place, please refer to the official `OpenStack Security Guide`_ for additional resources. -.. _OpenStack Security Guide: http://docs.openstack.org/sec/ - AppArmor ~~~~~~~~ @@ -70,6 +68,55 @@ database(s) that they need to query. .. _principle of least privilege: https://en.wikipedia.org/wiki/Principle_of_least_privilege +.. _least-access-openstack-services: + +Securing network access to OpenStack services +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenStack environments expose many service ports and API endpoints to the +network. **Deployers must limit access to these resources and expose them only +to trusted users and networks.** + +The resources within an OpenStack environment can be divided into two groups: + +1. Services that users must access directly to consume the OpenStack cloud. + + * Aodh + * Cinder + * Ceilometer + * Glance + * Heat + * Horizon + * Keystone *(excluding the admin API endpoint)* + * Neutron + * Nova + * Swift + +2. Services that are only utilized internally by the OpenStack cloud. + + * Keystone (admin API endpoint) + * MariaDB + * RabbitMQ + +Users must be able to access certain public API endpoints, such as the Nova or +Neutron API, to manage instances. Deployers should configure firewalls to allow +access to these services, but that access should be limited to the fewest +networks possible. + +Other services, such as MariaDB and RabbitMQ, **must be segmented away from +direct user access**. Deployers must configure a firewall to only allow +connectivity to these services within the OpenStack environment itself. This +reduces an attacker's ability to query or manipulate data in OpenStack's +critical database and queuing services, especially if one of these services has +a known vulnerability. + +For more details on recommended network policies for OpenStack clouds, refer to +the `API endpoint process isolation and policy`_ section from the `OpenStack +Security Guide`_ + +.. _API endpoint process isolation and policy: http://docs.openstack.org/security-guide/api-endpoints/api-endpoint-configuration-recommendations.html#network-policy +.. _OpenStack Security Guide: http://docs.openstack.org/security-guide + -------------- .. include:: navigation.txt