Bug 1054896
| Summary: | SSL configuration and Documentation | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Eric Rich <erich> |
| Component: | doc-Installation_and_Configuration_Guide | Assignee: | Summer Long <slong> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Lopes <mlopes> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.0 | CC: | slong, yeylon, zaitcev |
| Target Milestone: | --- | Keywords: | Documentation |
| Target Release: | 5.0 (RHEL 7) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-04 13:06:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The SSL in Swift proxy is only good for testing. Nobody uses it, so nobody asked for docs. As soon as your cluster starts pushing a bonded GigE, you start wanting hardware load balancers to terminate SSL, at least with current CPUs and software. Maybe we can document this in some kind of best practices document. I'm re-assigning the component, so that people in Bruce's team can act upon the documentation change. I request the following change in the Installation and Configuration Guide. In the section 1.3.7. Object Storage Service, add: "The Object Storage service relies on services provided by the rest of the OpenStack system, such as Identity Service (Keystone), the rsync daemon, and a load balancer." In the section 10.1. Services that Make Up the Object Storage Service, add: "In addition, although not a part of Object Storage service software, a load balancer service is often employed with it. *Load Balancer* The Load Balancer is primarily used to terminate SSL connections. Almost any load balancing service for HTTP may be used with Object Storage. It only needs to allow additional HTTP requests. However, using *nginx* is not recommended, since it stores entire bodies of transferred objects, resulting in poor latency. " Eric and everyone else in the field should refer to our own guides first, and upstream and community documentation next. However, in this case RHOS documentation did not provide an explanation how to terminate SSL with Swift. Assigning to Summer Long (author assigned to Object Storage content). Moving to high since SSL can be a real sticking point. Added comment to topic 16781, rev.651585 Ready for QE/Peer review, depending on next package build. Updated rev History, topic 30544, rev.673288. For peer review: 8.1 = Object Storage Service. Topic 15938, rev.638514 8.2 = Services that Make Up the Object Storage Service. Topic 16765, rev.638524 8.6.3. Configure the Object Storage Service Proxy Service, topic 16781, rev.651585 Verified |
Description of problem: Currently there is not good documentation covering the SSL endpoint security of swift. The documentation we currently have does not covers securing an SSL endpoint. The community documentation simply states that you need to set: [DEFAULT] cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key This establishes the SSL endpoint, however do the API endpoints in keystone need to be updated as well? Version-Release number of selected component (if applicable): 4.0 and 3.0 Additional info: [0] seems to indicate (upstream) that SSL is not yet recommended as the configuration file has Line 31 points out that setting the Keys up is for testing only. http://docs.openstack.org/developer/swift/howto_installmultinode.html seems to suggest the same. If you don’t create the cert files, Swift silently uses http internally rather than https. This document assumes that you have created these certs, so if you’re following along step-by-step, create them. In a production cluster, you should terminate SSL before the proxy server. SSL support is provided for testing purposes only. However [1] seems to point out that the recommenced approach might be to put a load balancer or proxy out in front of your swift servers (that terminates the SSL). It think we should check with SEG and engineering regarding this. (setting WoC). [0] https://github.com/openstack/swift/blob/master/etc/proxy-server.conf-sample#L31-L33 [1] https://github.com/openstack/swift/blob/master/etc/proxy-server.conf-sample#L223-L226