80ca377eb8
I improved security content in the installation guide as follows: 1) Renamed basic environment 'passwords' section to 'security' to generalize topic. 2) Generalized existing content. 3) Added content about administrative privilege requirements including potential interference with deployment automation tools. Recommend backporting to Icehouse. Change-Id: Ide9785728c7b52ee1dc59a533b3486b99ee11139 Closes-Bug: #1311426 backport: icehouse
130 lines
5.7 KiB
XML
130 lines
5.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="basics-security">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Security</title>
|
|
<para>OpenStack services support various security methods including
|
|
password, policy, and encryption. Additionally, supporting services
|
|
including the database server and message broker support at least
|
|
password security.</para>
|
|
<para>To ease the installation process, this guide only covers password
|
|
security where applicable. You can create secure passwords manually,
|
|
generate them using a tool such as <application>pwgen</application>, or
|
|
by running the following command:</para>
|
|
<screen><prompt>$</prompt> <userinput>openssl rand -hex 10</userinput></screen>
|
|
<para>For OpenStack services, this guide uses
|
|
<replaceable>SERVICE_PASS</replaceable> to reference service account
|
|
passwords and <replaceable>SERVICE_DBPASS</replaceable> to reference
|
|
database passwords.</para>
|
|
<para>The following table provides a list of services that require
|
|
passwords and their associated references in the guide:
|
|
<table rules="all">
|
|
<caption>Passwords</caption>
|
|
<thead>
|
|
<tr>
|
|
<th>Password name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>Database password (no variable used)</td>
|
|
<td>Root password for the database</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>RABBIT_PASS</replaceable></literal></td>
|
|
<td>Password of user guest of RabbitMQ</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>KEYSTONE_DBPASS</replaceable></literal></td>
|
|
<td>Database password of Identity service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>DEMO_PASS</replaceable></literal></td>
|
|
<td>Password of user <literal>demo</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>ADMIN_PASS</replaceable></literal></td>
|
|
<td>Password of user <literal>admin</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>GLANCE_DBPASS</replaceable></literal></td>
|
|
<td>Database password for Image Service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>GLANCE_PASS</replaceable></literal></td>
|
|
<td>Password of Image Service user <literal>glance</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NOVA_DBPASS</replaceable></literal></td>
|
|
<td>Database password for Compute service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NOVA_PASS</replaceable></literal></td>
|
|
<td>Password of Compute service user <literal>nova</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>DASH_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the dashboard</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CINDER_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Block Storage service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CINDER_PASS</replaceable></literal></td>
|
|
<td>Password of Block Storage service user <literal>cinder</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NEUTRON_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Networking service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NEUTRON_PASS</replaceable></literal></td>
|
|
<td>Password of Networking service user <literal>neutron</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>HEAT_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Orchestration service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>HEAT_PASS</replaceable></literal></td>
|
|
<td>Password of Orchestration service user <literal>heat</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CEILOMETER_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Telemetry service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CEILOMETER_PASS</replaceable></literal></td>
|
|
<td>Password of Telemetry service user <literal>ceilometer</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>TROVE_DBPASS</replaceable></literal></td>
|
|
<td>Database password of Database service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>TROVE_PASS</replaceable></literal></td>
|
|
<td>Password of Database Service user <literal>trove</literal></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</para>
|
|
<para>OpenStack and supporting services require administrative privileges
|
|
during installation and operation. In some cases, services perform
|
|
modifications to the host that can interfere with deployment automation
|
|
tools such as Ansible, Chef, and Puppet. For example, some OpenStack
|
|
services add a root wrapper to <literal>sudo</literal> that can interfere
|
|
with security policies. See the
|
|
<link xlink:href="http://docs.openstack.org/admin-guide-cloud/content/root-wrap-reference.html">Cloud Administrator Guide</link>
|
|
for more information. Also, the Networking service assumes default values
|
|
for kernel network parameters and modifies firewall rules. To avoid most
|
|
issues during your initial installation, we recommend using a stock
|
|
deployment of a supported distribution on your hosts. However, if you
|
|
choose to automate deployment of your hosts, review the configuration
|
|
and policies applied to them before proceeding further.</para>
|
|
</section>
|