130 lines
5.7 KiB
XML
130 lines
5.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="basics-security">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Security</title>
|
|
<para>OpenStack services support various security methods including
|
|
password, policy, and encryption. Additionally, supporting services
|
|
including the database server and message broker support at least
|
|
password security.</para>
|
|
<para>To ease the installation process, this guide only covers password
|
|
security where applicable. You can create secure passwords manually,
|
|
generate them using a tool such as <application>pwgen</application>, or
|
|
by running the following command:</para>
|
|
<screen><prompt>$</prompt> <userinput>openssl rand -hex 10</userinput></screen>
|
|
<para>For OpenStack services, this guide uses
|
|
<replaceable>SERVICE_PASS</replaceable> to reference service account
|
|
passwords and <replaceable>SERVICE_DBPASS</replaceable> to reference
|
|
database passwords.</para>
|
|
<para>The following table provides a list of services that require
|
|
passwords and their associated references in the guide:
|
|
<table rules="all">
|
|
<caption>Passwords</caption>
|
|
<thead>
|
|
<tr>
|
|
<th>Password name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>Database password (no variable used)</td>
|
|
<td>Root password for the database</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>RABBIT_PASS</replaceable></literal></td>
|
|
<td>Password of user guest of RabbitMQ</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>KEYSTONE_DBPASS</replaceable></literal></td>
|
|
<td>Database password of Identity service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>DEMO_PASS</replaceable></literal></td>
|
|
<td>Password of user <literal>demo</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>ADMIN_PASS</replaceable></literal></td>
|
|
<td>Password of user <literal>admin</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>GLANCE_DBPASS</replaceable></literal></td>
|
|
<td>Database password for Image Service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>GLANCE_PASS</replaceable></literal></td>
|
|
<td>Password of Image Service user <literal>glance</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NOVA_DBPASS</replaceable></literal></td>
|
|
<td>Database password for Compute service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NOVA_PASS</replaceable></literal></td>
|
|
<td>Password of Compute service user <literal>nova</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>DASH_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the dashboard</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CINDER_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Block Storage service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CINDER_PASS</replaceable></literal></td>
|
|
<td>Password of Block Storage service user <literal>cinder</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NEUTRON_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Networking service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>NEUTRON_PASS</replaceable></literal></td>
|
|
<td>Password of Networking service user <literal>neutron</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>HEAT_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Orchestration service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>HEAT_PASS</replaceable></literal></td>
|
|
<td>Password of Orchestration service user <literal>heat</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CEILOMETER_DBPASS</replaceable></literal></td>
|
|
<td>Database password for the Telemetry service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>CEILOMETER_PASS</replaceable></literal></td>
|
|
<td>Password of Telemetry service user <literal>ceilometer</literal></td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>TROVE_DBPASS</replaceable></literal></td>
|
|
<td>Database password of Database service</td>
|
|
</tr>
|
|
<tr>
|
|
<td><literal><replaceable>TROVE_PASS</replaceable></literal></td>
|
|
<td>Password of Database Service user <literal>trove</literal></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</para>
|
|
<para>OpenStack and supporting services require administrative privileges
|
|
during installation and operation. In some cases, services perform
|
|
modifications to the host that can interfere with deployment automation
|
|
tools such as Ansible, Chef, and Puppet. For example, some OpenStack
|
|
services add a root wrapper to <literal>sudo</literal> that can interfere
|
|
with security policies. See the
|
|
<link xlink:href="http://docs.openstack.org/admin-guide-cloud/content/root-wrap-reference.html">Cloud Administrator Guide</link>
|
|
for more information. Also, the Networking service assumes default values
|
|
for kernel network parameters and modifies firewall rules. To avoid most
|
|
issues during your initial installation, we recommend using a stock
|
|
deployment of a supported distribution on your hosts. However, if you
|
|
choose to automate deployment of your hosts, review the configuration
|
|
and policies applied to them before proceeding further.</para>
|
|
</section>
|