secure oslo_messaging.rpc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack DBaaS (Trove) |
New
|
Wishlist
|
Unassigned |
Bug Description
https:/
Dear bug triager. This bug was created since a commit was marked with DOCIMPACT.
Your project "openstack/trove" is set up so that we directly report the documentation bugs against it. If this needs changing, the docimpact-group option needs to be added for the project. You can ask the OpenStack infra team (#openstack-infra on freenode) for help if you need to.
commit a7115e22f7fbf77
Author: Amrith Kumar <email address hidden>
Date: Fri Dec 9 10:09:46 2016 -0500
secure oslo_messaging.rpc
This is an interim commit of the changes for secure
oslo-
serializers that will encrypt all traffic being sent on
oslo_
Each guest communicates with the control plane with traffic encrypted
using a per-instance key. This includes both traffic from the
taskmanager to the guest as well as the guest and the conductor.
Per-instance keys are stored in the infrastructure database. These
keys are further encrypted in the database.
Tests that got annoyed have been placated.
Upgrade related changes have been proposed. If an instance has no key,
no encryption is performed. If the guest gets no key, it won't
encrypt, just pass through. When an instance is upgraded, keys are
added.
The output of the trove show command (and the show API) have been
augmented to show which instances are using secure RPC communication
** if the requestor is an administrator **.
A simple caching mechanism for encryption keys has been proposed; this
will avoid the frequent database access to get the encryption
keys. For Ocata, to handle the upgrade case, None as an encryption_key
is a valid one, and is therefore not cached. This is why we can't use
something like lrucache.
A brief writeup has been included in dev docs
(dev/
used and would help the documentation team write up the documentation
for this capability.
Change-Id: Iad03f190c99039
DocImpact: see dev/secure_
Blueprint: secure-
Related: If0146f08b3c5ad
Related: I04cb76793cbb8b
Changed in trove: | |
importance: | Undecided → Wishlist |