openstack-manuals

Database SSL transport config example missing OS service database config

Bug #1425762 reported by Shail Bhargava on 2015-02-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-manuals	Fix Released	Medium	Shail Bhargava

Bug Description

Section: "Require user accounts to require SSL transport"

Once database user accounts are configured to require SSL transport, then the OpenStack service database configuration must specify the certificate authority (CA) information to trust and establish SSL connection

Similar example for OpenStack service database configuration is included in the subsequent section "Authentication with X.509 certificates" and should be included for "SSL transport" section

Suggested Addition:
If your database server is configured to require SSL transport for authentication, you will need to specify the certificate authority information for use with the initial connection string in SQLAlchemy query.
Example of an :sql_connection string for SSL transport to MySQL:
sql_connection = mysql://compute01:NOVA_DBPASS@localhost/nova?ssl_ca=/etc/mysql/cacert.pem

-----------------------------------
Built: 2015-02-25T07:34:34 00:00
git SHA: 58102c8b3dd25c939d206e34e60c40cc8f034b28
URL: http://docs.openstack.org/security-guide/content/database-access-control.html
source File: file:/home/jenkins/workspace/security-doc-tox-doc-publishdocs/security-guide/section_database-access-control.xml
xml:id: database-access-control

Tags:

Shail Bhargava (shabharg) on 2015-02-26

Changed in openstack-manuals:
assignee:	nobody → Shail Bhargava (shabharg)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-26: Fix proposed to security-doc (master)

Fix proposed to branch: master
Review: https://review.openstack.org/159668

Changed in openstack-manuals:
status:	New → In Progress

Revision history for this message

Bryan D. Payne (bdpayne) wrote on 2015-03-02:

Please use TLS instead of SSL for the discussion around this issue. We are wording to get rid of SSL throughout the guide unless it is specifically needed (e.g., to refer to an older, vulnerable version).

Revision history for this message

Bryan D. Payne (bdpayne) wrote on 2015-03-02:

Also, please ensure that you use examples that work for both MySQL and PostGRE or make it very clear how this applies to each and that your example is specific to a particular setup.

Changed in openstack-manuals:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-11: Fix merged to security-doc (master)

Reviewed: https://review.openstack.org/159668
Committed: https://git.openstack.org/cgit/openstack/security-doc/commit/?id=51275ad0bcda6e06c2275900ea0c537797746b08
Submitter: Jenkins
Branch: master

commit 51275ad0bcda6e06c2275900ea0c537797746b08
Author: Shail Bhargava <email address hidden>
Date: Thu Feb 26 14:50:17 2015 -0800

MySQL TLS transport config example

    OpenStack service configuration example for database TLS
    transport. Without this configuration OpenStack service cannot
    establish TLS connection with MySQL database

Change-Id: Ibbfb146738f61bb069790875ee0924a7207edceb
Closes-bug: #1425762

Changed in openstack-manuals:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.