cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
Date Wed, 23 Aug 2017 19:49:55 GMT
All,


No regression is seen in the smoke test run, however, I'll leave the PR open for some time
to gather further feedback and reviews.


- Rohit

________________________________
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Sent: Friday, August 18, 2017 4:09:30 PM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications

All,


The feature is ready for your review, please see:

https://github.com/apache/cloudstack/pull/2239


Thanks and regards.

________________________________
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Sent: Thursday, July 13, 2017 12:59:02 PM
To: dev@cloudstack.apache.org
Subject: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications

All,


With upcoming features such as the application service (container service), and existing features
such as SAML, they all need some sort of certificate management and the idea with the proposed
feature is to build a pluggable certificate authority manager (CA Manager). I would like to
kick an initial discussion around how we can secure components of CloudStacks. A CA service/manager
that can create/provision/deploy certificates providing both automated and semi-automated
ways for deploying/setup of certificates using in-band (ssh, command-answer pattern) and out-of-band
(ssh, ansible, chef etc) to CloudStack services (such as systemvm agents, KVM agents, possible
webservices running in systemvms, VRs etc).


While we do have some APIs and mechanisms to secure user/external facing services where we
can use custom or failsafe SSL/TLS certificates, it's far from a complete solution. The present
communications between CloudStack management server, its peers and agents (served on port
8250) is one way SSL handshaked connection, is not authenticated while may be secure by insecure
certificates.


As a first step, it is proposed to create a general purpose pluggable CA service with a default
plugin implementation where CloudStack becomes a Root-CA and can issue self-signed certificates.
Such certificates may be consumed by CloudStack agents (CPVM/SSVM/KVM) and other components/services
(such as SAML, container services etc). The pluggable CA framework should allow developers
to extend the functionality by implementing provider plugins that may work with other CA providers
such as LetsEncrypt, an existing/internal CA infrastructure, or other certificate vendors.


Please see an initial FS and ideas on implementation in the following FS. Looking forward
to your feedback.


FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Agent+Communications

JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-9993


Regards.

rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue




rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue




rohit.yadav@shapeblue.comĀ 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message