Open Stack Security for Beginners Divya K Konoor
Open. Stack Security for Beginners Divya K Konoor https: //www. linkedin. com/in/divya-k-konoor-4480339/ https: //twitter. com/dikonoor
Agenda Session for beginners to understand the different aspects of Open. Stack security. This is NOT an advanced or deep dive session. 2
Open. Stack Architectural Diagram 3
Keystone • Identity / RBAC / Multi-Tenancy / Endpoints Castellan / Barbican • Key Management Oslo • Oslo_policy • Oslo_config • Oslo_limits • Oslo_rootwrap /privsep Open. Stack Security • VMT (OSSA/OSSN), tools Security Related Open. Stack Teams
Open. Stack’s identity service What is Keystone ? One of the core Open. Stack services Gets installed with default devstack installation Provides centralized authentication, catalog service, role based access control and tokenbased management 5
Open. Stack is like the Solar System • An instance of Open. Stack deployment consists of multiple services • Keystone is like the sun in the solar system, which brings all of them together w. r. t. authentication, authorization and registration 6
Keystone components 7
Identity Backend KEYSTONE IS USED TO CONNECT TO THE IDENTITY BACKEND WHERE USER CREDENTIALS ARE STORED ALL SERVICES ACCESS KEYSTONE TO AUTHENTICATE CREDENTIALS AGAINST THE BACKEND LDAP IS THE MOST COMMONLY USED DEFAULT BACKEND IS DATABASE NEW BACKEND DRIVERS CAN BE ADDED AS NEEDED 8
Token Management KEYSTONE GENERATES TOKENS WITH VALID CREDENTIALS A TOKEN USES CREDENTIALS + SCOPE (LIKE PROJECT SCOPE) TOKENS HAVE EXPIRY PERIOD (CONFIGURABLE) TOKENS CAN BE REVOKED EVERY REST API CALL TO ANY OPENSTACK SERVICE NEEDS A VALID TOKEN FOR AUTHENTICATION 9
Authentication
Token Creation and Validation
Different types of token providers • UUID • Randomly generated • Stored in the database • Periodic purging required JWT is the latest type of token provider. • Non persistent • Asymmetric Keys • Implemented in Stein release • Fernet • Uses symmetric encryption keys • Keystone encrypts and all other services uses the same key to decrypt • Fernet is the default since Newton 12
Multi-Factor Authentication (MFA) Default method is using password OTP can be enabled
Keystone implements RBAC (Role-Based Access Control) using role, project , domain concepts Every Open. Stack user is assigned a role within a project scope Authorization Every operation in every service defines the role that can access it Policy in Code implemented few releases back 14
Oslo_policy for policy checks
Example of Policy Rules
Resource Isolation using Tenants/Projects Multi-Tenancy Domains Namespaces for projects, users and groups System scoped tokens for operations on the entire deployment
Securing information • Secure Credentials config files • Service user credentials • Database user credentials • Transport user credentials • Credentials to connect to resources like compute hosts , storage providers etc. • Secure Plain Text Password using Castellan /oslo_config • Use file permissions to secure files • Log files /var/log/<service>/*. log • Secure all communication using certificates
Open. Stack Auditing • Uses Cloud Auditing Data Federation Working Group (CADF) standard • Can be enabled for all Open. Stack services using a middleware • Is not enabled by default • Support comes from keystonemiddleware • Support comes from pycadf library
Auditing Example with Nova
Open. Stack Security SIG • Manages the security aspects of Open. Stack • Open. Stack Security Advisories (OSSA) • Open. Stack Security Notes (OSSN) • Security guidelines • #openstack-security IRC channel • Security bugs, Vulnerability Management • Security tools
Open. Stack Vulnerability Managemen t • Open. Stack Vulnerability Management Team (VMT) • All security impacted bugs are private • Security Advisories and notes are released. 22
Open. Stack Security Tools • Bandit • Static Code Scanner • Can be integrated with CI/CD • Syntribos • API Security Testing tool • aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc
System-scoped Tokens (Keystone) Recent Additions Secure plain text password using oslo_config Read-only role (Authorization) Oslo limits JSON Web Tokens (new token provider) Application Credentials (Authentication)
References • http: //docs. openstack. org/security-guide/ • Keystone Project Updates • Denver https: //www. openstack. org/videos/su mmits/denver-2019/keystone-projectupdate-2 • Berlin https: //www. openstack. org/videos/su mmits/berlin-2018/keystone-projectupdates 26
27
- Slides: 27