openstack/openstack-manuals
Code Issues Proposed changes
Files
3ca4fed25752f080f0e89dece9ace590a22cc55c
openstack-manuals/doc/install-guide-rst/source/basics-security.rst
Karen Bradshaw 7c0a5a0706 Install guide Basic Env. to RST 
Converted security, database, queue to RST.

Change-Id: I5c802cee671e93204514100cf1088b731fd880d6
Implements: blueprint installguide-liberty
2015-07-08 14:00:23 -04:00

95 lines
3.4 KiB
ReStructuredText
Raw Blame History

Security
~~~~~~~~
OpenStack services support various security methods including password,
policy, and encryption. Additionally, supporting services including the
database server and message broker support at least password security.
To ease the installation process, this guide only covers password
security where applicable. You can create secure passwords manually,
generate them using a tool such as
`pwgen <http://sourceforge.net/projects/pwgen/>`__, or by running the
following command:
.. code-block:: console
$ openssl rand -hex 10
For OpenStack services, this guide uses `SERVICE_PASS` to reference
service account passwords and `SERVICE_DBPASS` to reference database
passwords.
The following table provides a list of services that require passwords
and their associated references in the guide:
.. list-table:: **Passwords**
:widths: 50 60
:header-rows: 1
* - Password name
- Description
* - Database password (no variable used)
- Root password for the database
* - `ADMIN_PASS`
- Password of user ``admin``
* - `CEILOMETER_DBPASS`
- Database password for the Telemetry service
* - `CEILOMETER_PASS`
- Password of Telemetry service user ``ceilometer``
* - `CINDER_DBPASS`
- Database password for the Block Storage service
* - `CINDER_PASS`
- Password of Block Storage service user ``cinder``
* - `DASH_DBPASS`
- Database password for the dashboard
* - `DEMO_PASS`
- Password of user ``demo``
* - `GLANCE_DBPASS`
- Database password for Image service
* - `GLANCE_PASS`
- Password of Image service user ``glance``
* - `HEAT_DBPASS`
- Database password for the Orchestration service
* - `HEAT_DOMAIN_PASS`
- Password of Orchestration domain
* - `HEAT_PASS`
- Password of Orchestration service user ``heat``
* - `KEYSTONE_DBPASS`
- Database password of Identity service
* - `NEUTRON_DBPASS`
- Database password for the Networking service
* - `NEUTRON_PASS`
- Password of Networking service user ``neutron``
* - `NOVA_DBPASS`
- Database password for Compute service
* - `NOVA_PASS`
- Password of Compute service user ``nova``
* - `RABBIT_PASS`
- Password of user guest of RabbitMQ
* - `SAHARA_DBPASS`
- Database password of Data processing service
* - `SWIFT_PASS`
- Password of Object Storage service user ``swift``
* - `TROVE_DBPASS`
- Database password of Database service
* - `TROVE_PASS`
- Password of Database service user ``trove``
|
OpenStack and supporting services require administrative privileges
during installation and operation. In some cases, services perform
modifications to the host that can interfere with deployment automation
tools such as Ansible, Chef, and Puppet. For example, some OpenStack
services add a root wrapper to ``sudo`` that can interfere with security
policies. See the `Cloud Administrator
Guide <http://docs.openstack.org/admin-guide-cloud/content/root-wrap-reference.html>`__
for more information.
Also, the Networking service assumes default
values for kernel network parameters and modifies firewall rules. To
avoid most issues during your initial installation, we recommend using a
stock deployment of a supported distribution on your hosts. However, if
you choose to automate deployment of your hosts, review the
configuration and policies applied to them before proceeding further.
View Git Blame Copy Permalink