openstack team mailing list archive

[Mike Scherbakov <mihgen@xxxxxxxxx>]

Joshua,
your question scares me :)

Actually you can define user/pass for rabbitmq:
See in rpc/impl_kombu.py, which is used by default:
 308         self.params = dict(hostname=FLAGS.rabbit_host,
 309                           port=FLAGS.rabbit_port,
 310                           userid=FLAGS.rabbit_userid,
 311                           password=FLAGS.rabbit_password,
 312                           virtual_host=FLAGS.rabbit_virtual_host)

But this seems to be not secured connection, since I don't see here usage of
SSL.
In rpc/impl_carrot.py:
  66             params = dict(hostname=FLAGS.rabbit_host,
  67                           port=FLAGS.rabbit_port,
*  68                           ssl=FLAGS.rabbit_use_ssl,*
  69                           userid=FLAGS.rabbit_userid,
  70                           password=FLAGS.rabbit_password,
  71                           virtual_host=FLAGS.rabbit_virtual_host)
but I never tried this carrot and don't know if it works.

Can someone else clarify the question? It seems important in terms of
security.

Thanks,

On Wed, Sep 21, 2011 at 2:20 PM, Joshua Harlow <harlowja@xxxxxxxxxxxxx>wrote:

>  A quick security question.
>
> Is there any plan to force authentication/authorization of the rabbitmq
> messages?
>
> Right now it seems like keystone (tbd) will protect the
> external<->openstack layers but what about the openstack<->openstack layers.
>
> If someone got access to the rabbitmq it seems like without this kind of
> layer bad things could happen (create me 1000 nodes...).
>
> Has there been any thought in that area?
>
> -Josh
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Mike Scherbakov