openstack/security-doc
Code Issues Proposed changes
Files
cf56f86d90a490bba506d7e1df732010adefcb85
security-doc/security-guide/section_case-studies-database.xml
Hareesh Puthalath 3c8f94a752 Add intro and reference to the Alice and Bob case study 
Adding a short intro and reference to the Alice and Bob case study in subsequent
chapters. This will be of convenience to readers who directly stumble upon the
page without being aware of the introduction section present in the beginning.

Change-Id: If29824446e9f58a12aef7f57589e93bee6a5f902
Closes-Bug: #1411082
2015-02-04 21:47:21 +01:00

40 lines
2.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="case-studies-database">
<?dbhtml stop-chunking?>
<title>Case studies</title>
<para>Earlier in <xref linkend="introduction-to-case-studies"/> we introduced the Alice and Bob case studies where Alice is deploying a private government cloud and Bob is deploying a public cloud each with different security requirements. Here we discuss how Alice and Bob would address database
selection and configuration for their respective private and public
clouds.</para>
<section xml:id="case-studies-database-alice-private-cloud">
<title>Alice's private cloud</title>
<para>Alice's organization has high availability concerns and so she has
selected MySQL as the underlying database for the cloud services. She places
the database on the Management network, utilizing SSL/TLS with mutual
authentication among the services to ensure secure access. Based on the
assumption that external access of the database will not be facilitated, she
installs a certificate signed with the organization's root certificate on the
database and its access endpoints. Alice creates separate user accounts for
each database user then configures the database to use both passwords and
X.509 certificates for authentication. She elects not to use the
<systemitem class="service">nova-conductor</systemitem> sub-service due to the
desire for fine-grained access control policies and audit support.</para>
</section>
<section xml:id="case-studies-database-bob-public-cloud">
<title>Bob's public cloud</title>
<para>Bob is concerned about strong separation of his tenants' data, so
he has elected to use the PostgreSQL database, known for its stronger security
features. The database resides on the Management network and uses SSL/TLS with
mutual authentication with the services. Since the database is on the
Management network, the database uses certificates signed with the company's
self-signed root certificate. Bob creates separate user accounts for each
database user, and configures the database to use both passwords and X.509
certificates for authentication. He elects not to use the <systemitem
class="service">nova-conductor</systemitem> sub-service due to a desire for
fine-grained access control.</para>
</section>
</section>
View Git Blame Copy Permalink