From dbcfdec10a738b08c0da8175bb6c269aaa41b9e1 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 27 Apr 2016 12:22:09 -0500 Subject: [PATCH] Add docs for limiting access to services This patch adds documentation in the security overview as well as the HAProxy section about restricting access to various OpenStack services and shared infrastructure services. Change-Id: I3494c762b505e62ec7798564263633505be5e4d2 --- .../install-guide/configure-haproxy.rst | 10 +++- .../install-guide/overview-security.rst | 51 ++++++++++++++++++- 2 files changed, 57 insertions(+), 4 deletions(-) diff --git a/doc/source/install-guide/configure-haproxy.rst b/doc/source/install-guide/configure-haproxy.rst index 44da200924..331b076702 100644 --- a/doc/source/install-guide/configure-haproxy.rst +++ b/doc/source/install-guide/configure-haproxy.rst @@ -8,12 +8,18 @@ OpenStack-Ansible. The default HAProxy configuration provides highly-available load balancing services via keepalived if there are more than one hosts in the ``haproxy_hosts`` group. +.. note:: + + Deployers must review the services exposed by HAProxy and **must limit access + to these services to trusted users and networks only**. For more details, + refer to the :ref:`least-access-openstack-services` section. + .. note:: A load balancer is required for a successful installation. Deployers may prefer to make use of hardware load balancers instead of haproxy. If hardware - load balancers are used then the load balancing configuration for services must - be implemented prior to executing the deployment. + load balancers are used then the load balancing configuration for services + must be implemented prior to executing the deployment. To deploy HAProxy within your OpenStack-Ansible environment, define target hosts which should run HAProxy: diff --git a/doc/source/install-guide/overview-security.rst b/doc/source/install-guide/overview-security.rst index 764722ce64..7148b89658 100644 --- a/doc/source/install-guide/overview-security.rst +++ b/doc/source/install-guide/overview-security.rst @@ -11,8 +11,6 @@ Security requirements will always differ between deployers. For deployers that need additional security measures in place, please refer to the official `OpenStack Security Guide`_ for additional resources. -.. _OpenStack Security Guide: http://docs.openstack.org/sec/ - AppArmor ~~~~~~~~ @@ -70,6 +68,55 @@ database(s) that they need to query. .. _principle of least privilege: https://en.wikipedia.org/wiki/Principle_of_least_privilege +.. _least-access-openstack-services: + +Securing network access to OpenStack services +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenStack environments expose many service ports and API endpoints to the +network. **Deployers must limit access to these resources and expose them only +to trusted users and networks.** + +The resources within an OpenStack environment can be divided into two groups: + +1. Services that users must access directly to consume the OpenStack cloud. + + * Aodh + * Cinder + * Ceilometer + * Glance + * Heat + * Horizon + * Keystone *(excluding the admin API endpoint)* + * Neutron + * Nova + * Swift + +2. Services that are only utilized internally by the OpenStack cloud. + + * Keystone (admin API endpoint) + * MariaDB + * RabbitMQ + +Users must be able to access certain public API endpoints, such as the Nova or +Neutron API, to manage instances. Deployers should configure firewalls to allow +access to these services, but that access should be limited to the fewest +networks possible. + +Other services, such as MariaDB and RabbitMQ, **must be segmented away from +direct user access**. Deployers must configure a firewall to only allow +connectivity to these services within the OpenStack environment itself. This +reduces an attacker's ability to query or manipulate data in OpenStack's +critical database and queuing services, especially if one of these services has +a known vulnerability. + +For more details on recommended network policies for OpenStack clouds, refer to +the `API endpoint process isolation and policy`_ section from the `OpenStack +Security Guide`_ + +.. _API endpoint process isolation and policy: http://docs.openstack.org/security-guide/api-endpoints/api-endpoint-configuration-recommendations.html#network-policy +.. _OpenStack Security Guide: http://docs.openstack.org/security-guide + -------------- .. include:: navigation.txt