Amrith Kumar a7115e22f7 secure oslo_messaging.rpc

This is an interim commit of the changes for secure
oslo-messaging.rpc. In this commit we introduce the code for
serializers that will encrypt all traffic being sent on
oslo_messaging.rpc.

Each guest communicates with the control plane with traffic encrypted
using a per-instance key. This includes both traffic from the
taskmanager to the guest as well as the guest and the conductor.

Per-instance keys are stored in the infrastructure database. These
keys are further encrypted in the database.

Tests that got annoyed have been placated.

Upgrade related changes have been proposed. If an instance has no key,
no encryption is performed. If the guest gets no key, it won't
encrypt, just pass through. When an instance is upgraded, keys are
added.

The output of the trove show command (and the show API) have been
augmented to show which instances are using secure RPC communication
** if the requestor is an administrator **.

A simple caching mechanism for encryption keys has been proposed; this
will avoid the frequent database access to get the encryption
keys. For Ocata, to handle the upgrade case, None as an encryption_key
is a valid one, and is therefore not cached. This is why we can't use
something like lrucache.

A brief writeup has been included in dev docs
(dev/secure_oslo_messaging.rst) which shows how the feature can be
used and would help the documentation team write up the documentation
for this capability.

Change-Id: Iad03f190c99039fd34cbfb0e6aade23de8654b28
DocImpact: see dev/secure_oslo_messaging.rst
Blueprint: secure-oslo-messaging-messages
Related: If0146f08b3c5ad49a277963fcc685f5192d92edb
Related: I04cb76793cbb8b7e404841e9bb864fda93d06504

2017-01-11 07:56:35 -05:00

2.4 KiB

Raw Blame History

Welcome to Trove's developer documentation!

Introduction

Trove is Database as a Service for OpenStack. It's designed to run entirely on OpenStack, with the goal of allowing users to quickly and easily utilize the features of a relational database without the burden of handling complex administrative tasks. Cloud users and database administrators can provision and manage multiple database instances as needed.

Initially, the service will focus on providing resource isolation at high performance while automating complex administrative tasks including deployment, configuration, patching, backups, restores, and monitoring.

For an in-depth look at the project's design and structure, see the dev/design page.

Installation And Deployment

Trove is constantly under development. The easiest way to install Trove is using the Trove integration scripts that can be found in git in the Trove Repository.

For further details on how to install Trove using the integration scripts please refer to the dev/install page.

For further details on how to install Trove to work with existing OpenStack environment please refer to the dev/manual_install page.

Developer Resources

For those wishing to develop Trove itself, or to extend Trove's functionality, the following resources are provided.

dev/design dev/testing dev/install dev/manual_install.rst dev/building_guest_images.rst dev/guest_cloud_init.rst dev/notifier.rst dev/trove_api_extensions.rst dev/secure_oslo_messaging.rst

Source Code Repositories
- Trove
- Trove Client
Trove Wiki on OpenStack
Trove API Documentation on docs.openstack.org

Guest Images

In order to use Trove, you need to have Guest Images for each datastore and version. These images are loaded into Glance and registered with Trove.

For those wishing to develop guest images, please refer to the dev/building_guest_images.rst page.

Search Trove Documentation

search

2.4 KiB Raw Blame History