openstack
/
security-doc
Code Issues Proposed changes

Update nova-compute keystone validation 

In Ocata, auth_strategy was moved into the [api] namespace,
making [api] or [DEFAULT] a valid section to place this
option in.

Change-Id: I6ec0f4fb0cc24f537defec78bfcdf35147b4ba23
This commit is contained in:
Chris MacNaughton 2019-03-28 09:35:16 +01:00 committed by Chris MacNaughton (icey)
parent 6a64a48682
commit a4a24e3d0b
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
security-guide/source/compute/checklist.rst
View File

@ -88,12 +88,22 @@ attacker might gain unauthorized access to the OpenStack components. We
strongly recommend that all services must be authenticated with keystone
using their service accounts.
Before Ocata:
**Pass:** If value of parameter ``auth_strategy`` under ``[DEFAULT]`` section
in ``/etc/nova/nova.conf`` is set to ``keystone``.
**Fail:** If value of parameter ``auth_strategy`` under ``[DEFAULT]`` section
is set to ``noauth`` or ``noauth2``.
After Ocata:
**Pass:** If value of parameter ``auth_strategy`` under ``[api]`` or
``[DEFAULT]`` section in ``/etc/nova/nova.conf`` is set to ``keystone``.
**Fail:** If value of parameter ``auth_strategy`` under ``[api]`` or
``[DEFAULT]`` section is set to ``noauth`` or ``noauth2``.
.. _check_compute_04:
Check-Compute-04: Is secure protocol used for authentication?