Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1054896 - SSL configuration and Documentation
SSL configuration and Documentation
Status: CLOSED CURRENTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Installation_and_Configuration_Guide (Show other bugs)
4.0
Unspecified Unspecified
high Severity high
: ---
: 5.0 (RHEL 7)
Assigned To: Summer Long
Martin Lopes
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-17 12:32 EST by Eric Rich
Modified: 2014-09-04 09:06 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-04 09:06:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Eric Rich 2014-01-17 12:32:32 EST 
Description of problem:

Currently there is not good documentation covering the SSL endpoint security of swift. The documentation we currently have does not covers securing an SSL endpoint. 

The community documentation simply states that you need to set: 

[DEFAULT]
cert_file = /etc/swift/cert.crt
key_file = /etc/swift/cert.key

This establishes the SSL endpoint, however do the API endpoints in keystone need to be updated as well? 

Version-Release number of selected component (if applicable):
4.0 and 3.0

Additional info:

[0] seems to indicate (upstream) that SSL is not yet recommended as the configuration file has Line 31 points out that setting the Keys up is for testing only. 

    http://docs.openstack.org/developer/swift/howto_installmultinode.html seems to suggest the same. 

        If you don’t create the cert files, Swift silently uses http internally rather than https. This document assumes that you have created these certs, 
        so if you’re following along step-by-step, create them. In a production cluster, you should terminate SSL before the proxy server. SSL support 
        is provided for testing purposes only.

However [1] seems to point out that the recommenced approach might be to put a load balancer or proxy out in front of your swift servers (that terminates the SSL). 

It think we should check with SEG and engineering regarding this. (setting WoC). 

[0] https://github.com/openstack/swift/blob/master/etc/proxy-server.conf-sample#L31-L33
[1] https://github.com/openstack/swift/blob/master/etc/proxy-server.conf-sample#L223-L226
Comment 3 Pete Zaitcev 2014-01-17 13:00:08 EST 
The SSL in Swift proxy is only good for testing. Nobody uses it, so
nobody asked for docs. As soon as your cluster starts pushing a bonded
GigE, you start wanting hardware load balancers to terminate SSL,
at least with current CPUs and software.

Maybe we can document this in some kind of best practices document.
Comment 6 Pete Zaitcev 2014-03-26 23:03:21 EDT 
I'm re-assigning the component, so that people in Bruce's team can
act upon the documentation change.

I request the following change in the Installation and Configuration
Guide.

In the section 1.3.7. Object Storage Service, add:

"The Object Storage service relies on services provided by the rest of
the OpenStack system, such as Identity Service (Keystone), the rsync
daemon, and a load balancer."

In the section 10.1. Services that Make Up the Object Storage Service,
add:

"In addition, although not a part of Object Storage service software,
a load balancer service is often employed with it.

*Load Balancer*

   The Load Balancer is primarily used to terminate SSL connections.
   Almost any load balancing service for HTTP may be used with Object
   Storage. It only needs to allow additional HTTP requests.
   However, using *nginx* is not recommended, since it stores
   entire bodies of transferred objects, resulting in poor latency.
"

Eric and everyone else in the field should refer to our own guides
first, and upstream and community documentation next. However, in
this case RHOS documentation did not provide an explanation how
to terminate SSL with Swift.
Comment 7 Don Domingo 2014-03-26 23:19:12 EDT 
Assigning to Summer Long (author assigned to Object Storage content).
Comment 8 Summer Long 2014-03-30 22:57:27 EDT 
Moving to high since SSL can be a real sticking point.
Comment 13 Summer Long 2014-06-04 21:16:47 EDT 
Added comment to topic 16781, rev.651585
Comment 14 Summer Long 2014-06-04 21:32:45 EDT 
Ready for QE/Peer review, depending on next package build.
Comment 15 Summer Long 2014-06-15 23:11:47 EDT 
Updated rev History, topic 30544, rev.673288. 

For peer review:

8.1 = Object Storage Service. Topic 15938, rev.638514
8.2 = Services that Make Up the Object Storage Service. Topic 16765, rev.638524
⁠8.6.3. Configure the Object Storage Service Proxy Service, topic 16781, rev.651585
Comment 16 Martin Lopes 2014-06-18 00:56:15 EDT 
Verified
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.