openstack-manuals/doc/security-guide/ch037_risks.xml

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  xmlns="http://docbook.org/ns/docbook"
  version="5.0"
  xml:id="ch037_risks">
  <?dbhtml stop-chunking?>
  <title>Message queuing architecture</title>
  <para>Message queuing services facilitate inter-process
    communication in OpenStack. OpenStack supports these message
    queuing service back ends:</para>
  <itemizedlist>
    <listitem>
      <para>RabbitMQ</para>
    </listitem>
    <listitem>
      <para>Qpid</para>
    </listitem>
    <listitem>
      <para>ZeroMQ or 0MQ</para>
    </listitem>
  </itemizedlist>
  <para>Both RabbitMQ and Qpid are Advanced Message Queuing Protocol
    (AMQP) frameworks, which provide message queues for peer-to-peer
    communication. Queue implementations are typically deployed as a
    centralized or decentralized pool of queue servers. ZeroMQ
    provides direct peer-to-peer communication through TCP
    sockets.</para>
  <para>Message queues effectively facilitate command and control
    functions across OpenStack deployments. Once access to the queue
    is permitted no further authorization checks are performed.
    Services accessible through the queue do validate the contexts and
    tokens within the actual message payload. However, you must note
    the expiration date of the token because tokens are potentially
    re-playable and can authorize other services in the
    infrastructure.</para>
  <para>OpenStack does not support message-level confidence, such as
    message signing. Consequently, you must secure and authenticate
    the message transport itself. For high-availability (HA)
    configurations, you must perform queue-to-queue authentication and
    encryption.</para>
  <para>With ZeroMQ messaging, IPC sockets are used on individual
    machines. Because these sockets are vulnerable to attack, ensure
    that the cloud operator has secured them.</para>
</chapter>