Spec for new feature, secure-oslo-messaging.rpc messages

This blueprint defines the new feature to secure the oslo messaging messages with symmetric keys. Change-Id: If0146f08b3c5ad49a277963fcc685f5192d92edb Partially-Implements: secure-oslo-messaging-messages
2016-10-30 04:56:53 -04:00 · 2016-10-30 04:56:53 -04:00 · b2b2c59989
commit b2b2c59989
parent 806f8be82d
1 changed files with 328 additions and 0 deletions
--- a/specs/ocata/secure-oslo-messaging-messages.rst
+++ b/specs/ocata/secure-oslo-messaging-messages.rst
@ -0,0 +1,328 @@
+..
+    This work is licensed under a Creative Commons Attribution 3.0 Unported
+    License.
+
+    http://creativecommons.org/licenses/by/3.0/legalcode
+
+    Sections of this template were taken directly from the Nova spec
+    template at:
+    https://github.com/openstack/nova-specs/blob/master/specs/juno-template.rst
+
+=================================
+Secure oslo.messaging.rpc message
+=================================
+
+.. sectnum::
+.. contents::
+
+Trove utilizes oslo_messaging.rpc to perform RPC calls and the
+transport underlying this is oslo_messaging. Messages sent on
+oslo.messaging are currently treated as genuine. There is a benefit to
+adding a layer of validation that will ensure that the RPC calls are
+in fact genuine. We propose that the RPC calls be encrypted with
+unique keys.
+
+Launchpad Blueprint:
+https://blueprints.launchpad.net/trove/+spec/secure-oslo-messaging-messages
+
+
+Problem Description
+===================
+
+Messages sent on oslo.messaging are currently treated as genuine by
+the recipient. Given that the names of the topics used are
+predictable, it is possible for a person with sufficient knowledge of
+Trove to, for example, compromise a guest instance or otherwise obtain
+credentials to connect to RabbitMQ (or the underlying transport to
+oslo-messaging) and then generate messages to, for example, the task
+manager by impersonating the API service. While there are already
+safeguards in place to contain the scope of this, such as by requiring
+that the message contain a valid keystone token with the appropriate
+access, this is still a point of vulnerability.
+
+Currently, when a client wishes to make an asynchronous RPC (cast()),
+the method name and parameters are marshalled and sent down to
+oslo_messaging.rpc. It is the responsibility of oslo_messaging.rpc to
+transmit the information to the remote side, and then find and invoke
+the method specified. After the cast() is invoked on the client side,
+the next thing that is seen by the consumer of oslo_messaging.rpc is
+an invocation of the desired method on the server side.
+
+The same thing happens for a synchronous RPC (call()) with the
+additional step of the client blocking, the server completing the
+operation and sending a response to the client, and the client
+receiving that and unblocking.
+
+Proposed Change
+===============
+
+After experimenting with several other alternative approaches, we
+propose to implement custom serializers (and deserializers) which can
+be provided to oslo_messaging.rpc.
+
+All messages sent and return values in RPC call() will be serialized
+through these custom methods which will encrypt the content. Due to a
+bug ``Failure to use serializer in exception`` if an RPC function
+throws an exception, the exception is not encrypted.
+
+How does TroveRPCDispatcher verify legitimacy of a message
+----------------------------------------------------------
+
+The proposed implementation relies on cryptography and unique keys for
+the control plane and the guests. We propose to use symmetric keys for
+the purpose of encryption.
+
+Trove has the following entities who are party to RPC invocations:
+
+- Trove API Service (client)
+- Trove Taskmanager Service (client and server)
+- Trove Conductor Service (server)
+- Trove Guestagent (client and server)
+
+When an RPC call() or cast() is made, the client invokes the
+serializer which will encrypt all arguments. When received on the
+server side, oslo_messaging.rpc will invoke the deserializer which
+will decrypt the arguments.
+
+It is assumed that the control plane is secure and the control plane
+symmetric key is secure. If it is compromised, then all bets are off.
+
+In communication with the guest agent, each guest has a unique
+symmetric key that is generated by the control plane and passed to the
+guest at launch.
+
+Securing the response
+---------------------
+
+As described earlier, a response to a call() method will be secured in
+the same way as the request. As observed earlier, due to a bug, an
+exception thrown by an RPC function is not (currently) being
+serialized and will therefore be returned unencrypted. When (if) that
+bug is fixed in oslo_messaging.rpc, this exposure is minimized.
+
+Contol plane key
+----------------
+
+The control plane key is constructed at system initialization
+time. The key is stored on the control plane (in the configuration
+file).
+
+If the control plane consists of multiple machines, then the control
+plane services on all machines must have access to the control plane
+key.
+
+Getting keys to the guest instance
+----------------------------------
+
+On instance launch, the guest key is created and passed to the guest
+as an injected file. We assume that the mechanism for file injection
+is secure in that it cannot be intercepted and compromised by a bad
+actor.
+
+A unique key is created for each instance.
+
+Why is this secure?
+-------------------
+
+We make two assumptions above; these are:
+
+(a) The control plane is secure, the control plane key is not
+    compromised, and
+(b) The transmission of the guest key to the guest is secure and is
+    not compromised.
+
+These are, meaningful and reasonable assumptions to make given the
+architecture of an OpenStack system.
+
+Should a guest be compromised, the bad actor can connect to the
+underlying transport (say Rabbit) but all they will be able to see are
+encrypted messages that they cannot decrypt.
+
+Configuration
+-------------
+
+The control plane key is stored on the control plane in a secure way
+and there are configuration options to tell each service where to find
+it.
+
+Each guest instance will have a key and that will be stored securely
+on the instance and a configuraiton setting will tell the guestagent
+where to find it.
+
+.. code-block:: python
+
+    cfg.StrOpt('tm_rpc_encr_key',
+               default='bzH6y0SGmjuoY0FNSTptrhgieGXNDX6PIhvz',
+               help='OpenSSL aes_cbc key for taskmanager RPC encryption.'),
+    cfg.StrOpt('inst_rpc_key_encr_key',
+               default='emYjgHFqfXNB1NGehAFIUeoyw4V4XwWHEaKP',
+               help='OpenSSL aes_cbc key to encrypt instance keys in DB.'),
+    cfg.StrOpt('instance_rpc_encr_key',
+               help='OpenSSL aes_cbc key for instance RPC encryption.'),
+
+Database
+--------
+
+The guest key for each guest instance will be stored in the
+database. A table instance_keys is proposed for this.
+
+---------------+--------------+------+-----+---------+-------+
+| Field         | Type         | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------+-------+
+| id            | varchar(64)  | NO   | PRI | NULL    |       |
+| instance_id   | varchar(64)  | NO   | UNI | NULL    |       |
+| encrypted_key | varchar(255) | NO   |     | NULL    |       |
+| created       | datetime     | NO   |     | NULL    |       |
+| updated       | datetime     | NO   |     | NULL    |       |
+| deleted       | tinyint(1)   | NO   |     | NULL    |       |
+| deleted_at    | datetime     | YES  |     | NULL    |       |
+---------------+--------------+------+-----+---------+-------+
+
+The guest instance keys are encrypted and stored in the encrypted_key
+column. A foreign key constraint links instance_id with
+instances.id. A unique constraint on instance_id is placed on this
+table.
+
+Public API
+----------
+
+No changes to the public API.
+
+Public API Security
+-------------------
+
+No changes.
+
+Python API
+----------
+
+No changes.
+
+CLI (python-troveclient)
+------------------------
+
+No changes.
+
+Internal API
+------------
+
+The internal API (from the perspective of developers, and invocations)
+will remain unaffected by this change as the implementation seeks to
+work below the Trove code entirely. As a result, the internal API will
+be radically different, and code must be in place to ensure that
+encrypting and non-encrypting clients and servers know how to
+interoperate.
+
+Guest Agent
+-----------
+
+The guestagent will receive its key as a part of the configdrive/boot
+process and can use it to decrypt all messages.
+
+Alternatives
+------------
+
+Several alternatives were considered, prototyped, and abandoned. A
+short summary of each is provided below.
+
+(a) We proposed to the oslo_messaging.rpc team to implement a
+    lightweight message signing and encryption mechanism in their code
+    by providing a mechanism of callbacks which would allow the
+    consumer (trove) to perform the signing and encryption. The
+    oslo_messaging team did not want to go this route as they felt
+    that the message included other private data structures which we
+    (the consumer) could modify and cause unexpected behavior.
+(b) We proposed that that oslo_messaging.rpc allow consumers to
+    provide a custom dispatcher for messages on the receiver
+    side. With this implementation, a signature or message encryption
+    could be performed on the client side and intercepted on the
+    server side and reversed allowing us to have minimal changes on
+    the server side. Again, the oslo_messaging.rpc team felt that the
+    dispatcher was a private data structure and they did not feel that
+    we should be encapsulating it.
+(c) We prototyped and experimented with a change where each RPC
+    endpoint would be decorated and the decorator would provide a
+    mechanism to construct the proper parameters and the invocation to
+    the RPC method. The client side change would be identical to (b)
+    but the server side change would involve a change to every RPC
+    method to add the decorator. In addition, the call context would
+    not be encrypted in this approach and it was abandoned.
+(d) We were advised that we should NOT be using oslo_messaging.rpc the
+    way we are using it as it was only intended for use on the control
+    plane. And that we should instead make the guest an RPC
+    server. Unfortunately that's not what we need? In Trove, the guest
+    agent is an extension of the control plane and not well suited to
+    a REST based communication strategy. What we need is an RPC
+    mechanism, and it is sad that oslo_messaging.rpc can't seem to
+    provide a secure one.
+
+Dashboard Impact (UX)
+=====================
+
+None.
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+   amrith
+
+Dashboard assignee:
+   none
+
+Milestones
+----------
+
+Ocata-1
+
+Work Items
+----------
+
+- Implementing code on control plane and guest
+- Implement changes to devstack plugin to create control plane key
+- Implement unit tests
+- Implement upgrade handling
+- Update documentation
+
+Upgrade Implications
+====================
+
+Minimal upgrade implications are anticipated, code is proposed that
+handles this transition.
+
+1. The control plane key will be generated and persisted on all
+   control plane nodes.
+2. When guests are upgraded a key will be sent to them as part of the
+   nova migrate process.
+
+The API's will be rev'ed one major version to account for this.
+
+Dependencies
+============
+
+There is an assumed dependency on the RPC API versioning which has now
+merged.
+
+
+Testing
+=======
+
+Oh yeah, we'll need some of this.
+
+Documentation Impact
+====================
+
+And some of this; details to follow.
+
+References
+==========
+
+``Failure to use serializer in exception``: https://bugs.launchpad.net/oslo.messaging/+bug/1648254
+
+Appendix
+========
+
+Any additional technical information and data.