openstack/openstack-manuals
Code Issues Proposed changes
59af79c6c3
openstack-manuals/doc/install-guide/section_basics-security.xml
Andreas Jaeger 3ca32b8434 s/Image Service/Image service/g 
Change capitalization as discussed on openstack-docs mailing list.

Change-Id: I2ad81bffbd59bdd8b908664bb0a1ee16da1bf7ae
2015-04-15 15:16:59 +02:00

146 lines
6.2 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="basics-security">
<?dbhtml stop-chunking?>
<title>Security</title>
<para>OpenStack services support various security methods
including password, policy, and encryption. Additionally,
supporting services including the database server and
message broker support at least password security.</para>
<para>To ease the installation process, this guide only
covers password security where applicable. You can create
secure passwords manually, generate them using a tool such as
<link xlink:href="http://sourceforge.net/projects/pwgen/">pwgen</link>,
or by running the following command:</para>
<screen><prompt>$</prompt> <userinput>openssl rand -hex 10</userinput></screen>
<para>For OpenStack services, this guide uses
<replaceable>SERVICE_PASS</replaceable> to reference
service account passwords and
<replaceable>SERVICE_DBPASS</replaceable> to reference
database passwords.</para>
<para>The following table provides a list of services that require
passwords and their associated references in the guide:
<table rules="all">
<caption>Passwords</caption>
<thead>
<tr>
<th>Password name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Database password (no variable used)</td>
<td>Root password for the database</td>
</tr>
<tr>
<td><literal><replaceable>ADMIN_PASS</replaceable></literal></td>
<td>Password of user <literal>admin</literal></td>
</tr>
<tr>
<td><literal><replaceable>CEILOMETER_DBPASS</replaceable></literal></td>
<td>Database password for the Telemetry service</td>
</tr>
<tr>
<td><literal><replaceable>CEILOMETER_PASS</replaceable></literal></td>
<td>Password of Telemetry service user <literal>ceilometer</literal></td>
</tr>
<tr>
<td><literal><replaceable>CINDER_DBPASS</replaceable></literal></td>
<td>Database password for the Block Storage service</td>
</tr>
<tr>
<td><literal><replaceable>CINDER_PASS</replaceable></literal></td>
<td>Password of Block Storage service user <literal>cinder</literal></td>
</tr>
<tr>
<td><literal><replaceable>DASH_DBPASS</replaceable></literal></td>
<td>Database password for the dashboard</td>
</tr>
<tr>
<td><literal><replaceable>DEMO_PASS</replaceable></literal></td>
<td>Password of user <literal>demo</literal></td>
</tr>
<tr>
<td><literal><replaceable>GLANCE_DBPASS</replaceable></literal></td>
<td>Database password for Image service</td>
</tr>
<tr>
<td><literal><replaceable>GLANCE_PASS</replaceable></literal></td>
<td>Password of Image service user <literal>glance</literal></td>
</tr>
<tr>
<td><literal><replaceable>HEAT_DBPASS</replaceable></literal></td>
<td>Database password for the Orchestration service</td>
</tr>
<tr>
<td><literal><replaceable>HEAT_DOMAIN_PASS</replaceable></literal></td>
<td>Password of Orchestration domain</td>
</tr>
<tr>
<td><literal><replaceable>HEAT_PASS</replaceable></literal></td>
<td>Password of Orchestration service user <literal>heat</literal></td>
</tr>
<tr>
<td><literal><replaceable>KEYSTONE_DBPASS</replaceable></literal></td>
<td>Database password of Identity service</td>
</tr>
<tr>
<td><literal><replaceable>NEUTRON_DBPASS</replaceable></literal></td>
<td>Database password for the Networking service</td>
</tr>
<tr>
<td><literal><replaceable>NEUTRON_PASS</replaceable></literal></td>
<td>Password of Networking service user <literal>neutron</literal></td>
</tr>
<tr>
<td><literal><replaceable>NOVA_DBPASS</replaceable></literal></td>
<td>Database password for Compute service</td>
</tr>
<tr>
<td><literal><replaceable>NOVA_PASS</replaceable></literal></td>
<td>Password of Compute service user <literal>nova</literal></td>
</tr>
<tr>
<td><literal><replaceable>RABBIT_PASS</replaceable></literal></td>
<td>Password of user guest of RabbitMQ</td>
</tr>
<tr>
<td><literal><replaceable>SAHARA_DBPASS</replaceable></literal></td>
<td>Database password of Data processing service</td>
</tr>
<tr>
<td><literal><replaceable>SWIFT_PASS</replaceable></literal></td>
<td>Password of Object Storage service user <literal>swift</literal></td>
</tr>
<tr>
<td><literal><replaceable>TROVE_DBPASS</replaceable></literal></td>
<td>Database password of Database service</td>
</tr>
<tr>
<td><literal><replaceable>TROVE_PASS</replaceable></literal></td>
<td>Password of Database service user <literal>trove</literal></td>
</tr>
</tbody>
</table>
</para>
<para>OpenStack and supporting services require administrative
privileges during installation and operation. In some cases,
services perform modifications to the host that can interfere
with deployment automation tools such as Ansible, Chef, and
Puppet. For example, some OpenStack services add a root
wrapper to <literal>sudo</literal> that can interfere with
security policies. See the
<link xlink:href="http://docs.openstack.org/admin-guide-cloud/content/root-wrap-reference.html">Cloud Administrator Guide</link>
for more information. Also, the Networking service assumes
default values for kernel network parameters and modifies
firewall rules. To avoid most issues during your initial
installation, we recommend using a stock deployment of a
supported distribution on your hosts. However, if you choose
to automate deployment of your hosts, review the configuration
and policies applied to them before proceeding further.</para>
</section>
View Git Blame Copy Permalink