openstack/security-doc
Code Issues Proposed changes

Fix indentation and new-line under conventions

Browse Source 
Change-Id: I441614de63be5f75144626c3b75fef99eb11c29a
Closes-Bug: #1541425
This commit is contained in:
venkatamahesh
2016-02-23 19:55:44 +05:30
parent f79820c8a8
commit 8f6401121c
10 changed files with 83 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
security-guide/source/compliance.rst
View File

@@ -25,11 +25,11 @@ This chapter has several objectives:
environments.
.. toctree::
:maxdepth: 2
:maxdepth: 2
compliance/overview.rst
compliance/understanding-the-audit-process.rst
compliance/compliance-activities.rst
compliance/certification-and-compliance-statements.rst
compliance/privacy.rst
compliance/case-studies.rst
compliance/overview.rst
compliance/understanding-the-audit-process.rst
compliance/compliance-activities.rst
compliance/certification-and-compliance-statements.rst
compliance/privacy.rst
compliance/case-studies.rst

14
security-guide/source/dashboard/https-hsts-xss-ssrf.rst
View File

@@ -55,13 +55,13 @@ Security (HSTS).
.. note::
If you are using an HTTPS proxy in front of your web
server, rather than using an HTTP server with HTTPS
functionality, modify the ``SECURE_PROXY_SSL_HEADER``
variable. Refer to the
`Django documentation <https://docs.djangoproject.com/>`_
for information about modifying the
``SECURE_PROXY_SSL_HEADER`` variable.
If you are using an HTTPS proxy in front of your web
server, rather than using an HTTP server with HTTPS
functionality, modify the ``SECURE_PROXY_SSL_HEADER``
variable. Refer to the
`Django documentation <https://docs.djangoproject.com/>`_
for information about modifying the
``SECURE_PROXY_SSL_HEADER`` variable.
See the chapter on :doc:`../secure-communication` for more specific
recommendations and server configurations for HTTPS

20
security-guide/source/data-processing/configuration-and-hardening.rst
View File

@@ -57,22 +57,22 @@ example, provisioning clusters).
.. code-block:: json
{
"default": ""
}
{
"default": ""
}
**Example. Disallow image registry manipulations to non-admin users**
.. code-block:: json
{
"default": "",
{
"default": "",
"data-processing:images:register": "role:admin",
"data-processing:images:unregister": "role:admin",
"data-processing:images:add_tags": "role:admin",
"data-processing:images:remove_tags": "role:admin"
}
"data-processing:images:register": "role:admin",
"data-processing:images:unregister": "role:admin",
"data-processing:images:add_tags": "role:admin",
"data-processing:images:remove_tags": "role:admin"
}
Security groups
~~~~~~~~~~~~~~~

8
security-guide/source/networking/services.rst
View File

@@ -43,10 +43,10 @@ each compute node physical switch port into a VLAN trunk port.
.. note::
NOTE: If you intend for your network to support more than 4094
tenants VLAN is probably not the correct option for you as multiple
'hacks' are required to extend the VLAN tags to more than 4094
tenants.
If you intend for your network to support more than 4094
tenants VLAN is probably not the correct option for you as multiple
'hacks' are required to extend the VLAN tags to more than 4094
tenants.
L2 tunneling
------------

3
security-guide/source/shared-file-systems/intro.rst
View File

@@ -82,6 +82,7 @@ authentication methods depend on which share driver and security service you
configure and use.
.. note::
Different access features are supported by different share drivers with
taking into consideration the shared file system protocol. The supported
shared file system protocols are NFS, CIFS, GlusterFS, or HDFS. As the
@@ -178,11 +179,13 @@ them. For details, see :ref:`check_shared_fs_01` and :ref:`check_shared_fs_02`
in a checklist.
.. note::
The configuration for manila-rootwrap in file ``rootwrap.conf`` and the
manila-rootwrap command filters for share nodes in file
``rootwrap.d/share.filters`` should be owned by, and only-writeable by, the
root user.
.. tip::
Manila configuration file ``manila.conf`` may be used from different places.
The path ``/etc/manila/manila.conf`` is one of expected paths by default.

4
security-guide/source/shared-file-systems/network-and-security-models.rst
View File

@@ -73,6 +73,7 @@ No share servers mode
needed at share creation time and must not be provided.
.. note::
In *no share servers mode* the Shared File Systems service will assume that
the network interfaces through which any shares are exported are already
reachable by all tenants.
@@ -118,6 +119,7 @@ network:
* ``VXLAN``
.. note::
The Shared File Systems service is just keeping the information about the
networks in the database, and the real networks are available due to the
network provider. In OpenStack it can be Legacy networking (nova-network)
@@ -143,6 +145,7 @@ networking without Legacy networking and Networking services. The
the network parameters in its configuration file.
.. tip::
All the share drivers that use the OpenStack Compute service do not use the
network plug-ins. In Liberty release it is Windows and Generic drivers, so
these share drives have other options and use different approach.
@@ -183,6 +186,7 @@ The security aspects of the configured networks depends on the configuration
itself and the network provider.
.. note::
The share drivers may not support every type of segmentation, for details
see the specification for each driver.

76
security-guide/source/shared-file-systems/policies.rst
View File

@@ -8,6 +8,7 @@ determine which user can access which objects in which way, and are defined in
the service's ``policy.json`` file.
.. tip::
The configuration file ``policy.json`` may be used from different places.
The path ``/etc/manila/policy.json`` is one of expected paths by default.
@@ -24,54 +25,55 @@ OpenStack release to another it can be changed.
.. code-block:: javascript
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"admin_api": "is_admin:True",
"share:create": "",
"share:delete": "rule:default",
"share:get": "rule:default",
"share:get_all": "rule:default",
"share:list_by_share_server_id": "rule:admin_api",
"share:update": "rule:default",
"share:snapshot_update": "rule:default",
"share:create_snapshot": "rule:default",
"share:delete_snapshot": "rule:default",
"share:get_snapshot": "rule:default",
"share:get_all_snapshots": "rule:default",
"share:access_get": "rule:default",
"share:access_get_all": "rule:default",
"share:allow_access": "rule:default",
"share:deny_access": "rule:default",
"share:extend": "rule:default",
"share:shrink": "rule:default",
"share:get_share_metadata": "rule:default",
"share:delete_share_metadata": "rule:default",
"share:update_share_metadata": "rule:default",
"share:migrate": "rule:admin_api",
"share:create": "",
"share:delete": "rule:default",
"share:get": "rule:default",
"share:get_all": "rule:default",
"share:list_by_share_server_id": "rule:admin_api",
"share:update": "rule:default",
"share:snapshot_update": "rule:default",
"share:create_snapshot": "rule:default",
"share:delete_snapshot": "rule:default",
"share:get_snapshot": "rule:default",
"share:get_all_snapshots": "rule:default",
"share:access_get": "rule:default",
"share:access_get_all": "rule:default",
"share:allow_access": "rule:default",
"share:deny_access": "rule:default",
"share:extend": "rule:default",
"share:shrink": "rule:default",
"share:get_share_metadata": "rule:default",
"share:delete_share_metadata": "rule:default",
"share:update_share_metadata": "rule:default",
"share:migrate": "rule:admin_api",
"share_type:index": "rule:default",
"share_type:show": "rule:default",
"share_type:default": "rule:default",
"share_type:index": "rule:default",
"share_type:show": "rule:default",
"share_type:default": "rule:default",
"share_instance:index": "rule:admin_api",
"share_instance:show": "rule:admin_api",
"share_instance:index": "rule:admin_api",
"share_instance:show": "rule:admin_api",
"share_extension:quotas:show": "",
"share_extension:quotas:update": "rule:admin_api",
"share_extension:quotas:delete": "rule:admin_api",
"share_extension:quota_classes": "",
"share_extension:quotas:show": "",
"share_extension:quotas:update": "rule:admin_api",
"share_extension:quotas:delete": "rule:admin_api",
"share_extension:quota_classes": "",
...
}
...
}
Note that your users must be assigned to groups and roles that you refer to in
your policies.
.. note::
Any changes to ``/etc/manila/policy.json`` are effective immediately,
which allows new policies to be implemented while the Shared File Systems
service is running. Modifying the policy can have unexpected side effects

2
security-guide/source/shared-file-systems/security-services.rst
View File

@@ -23,6 +23,7 @@ exist and are supported by the drivers and back ends. These authentication
services also can be configured without the Shared File Systems service.
.. note::
In some cases, it is required to add one of the security services. For
example, NetApp, EMC and Windows drivers require Active Directory for the
creation of shares with CIFS protocol.
@@ -104,6 +105,7 @@ authentication service can operate with clients without the Shared File System
and the Identity service.
.. note::
Different authentication services are supported by different share drivers.
For details of supporting of features by different drivers, see
`Manila share features support mapping <http://docs.openstack.org/developer

5
security-guide/source/shared-file-systems/share-acl.rst
View File

@@ -22,6 +22,7 @@ and **manila access-list** commands, you can grant, deny and list access to a
specified share correspondingly.
.. tip::
By default, when a share is created and has its export location, the Shared
File Systems service expects that nobody can access the share by mounting
it. Pay attention that the share driver you use can change this
@@ -47,6 +48,7 @@ by specifying one of these supported share access levels:
- **ro**. Read-only (RO) access.
.. tip::
The RO access level can be helpful in the public shares when the
administrator gives read and write (RW) access for some certain editors or
contributors and gives read-only (RO) access for the rest of users
@@ -66,6 +68,7 @@ You must also specify one of these supported authentication methods:
to 32 characters long.
.. note::
The supported authentication methods depend on which share driver, security
service and shared file system protocol you configure and use. Supported
shared file system protocols are NFS, CIFS, GlusterFS, and HDFS. Supported
@@ -79,6 +82,7 @@ To verify that the access rules (ACL) were configured correctly for a share,
you can list permissions for a share.
.. tip::
You also can choose and add the :ref:`security service
<shared_fs_security_services>` that is supported by the share driver to
create access rules with authentication methods for clients that are
@@ -152,6 +156,7 @@ You also can list the access rules to each share and deny the access using the
Shared File Systems service CLI.
.. tip::
To ensure that the granted or denied access with Shared File Systems
service CLI is correct, check the mount config file on the storage before
releasing a share to the production.

2
security-guide/source/shared-file-systems/share-type-acl.rst
View File

@@ -32,6 +32,7 @@ access to the *private* share types for some certain tenants. You also can get
information about access for a specified private share type.
.. tip::
Since the share types due to their extra specifications help to filter or
choose back ends before users create a share, using access to the share
types you can limit clients that can choose definite back end.
@@ -114,6 +115,7 @@ To deny access for a specified project, use
**manila type-access-remove <share_type> <project_id>** command.
.. tip::
A **real production use case** that shows the purpose of a share types and
access to them is a situation when you have two back ends: cheap LVM as a
public storage and expensive Ceph as a private storage. In this case you