You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2017/07/13 10:59:02 UTC
[DISCUSS][SECURITY] Feature: Secure CloudStack Communications
All,
With upcoming features such as the application service (container service), and existing features such as SAML, they all need some sort of certificate management and the idea with the proposed feature is to build a pluggable certificate authority manager (CA Manager). I would like to kick an initial discussion around how we can secure components of CloudStacks. A CA service/manager that can create/provision/deploy certificates providing both automated and semi-automated ways for deploying/setup of certificates using in-band (ssh, command-answer pattern) and out-of-band (ssh, ansible, chef etc) to CloudStack services (such as systemvm agents, KVM agents, possible webservices running in systemvms, VRs etc).
While we do have some APIs and mechanisms to secure user/external facing services where we can use custom or failsafe SSL/TLS certificates, it's far from a complete solution. The present communications between CloudStack management server, its peers and agents (served on port 8250) is one way SSL handshaked connection, is not authenticated while may be secure by insecure certificates.
As a first step, it is proposed to create a general purpose pluggable CA service with a default plugin implementation where CloudStack becomes a Root-CA and can issue self-signed certificates. Such certificates may be consumed by CloudStack agents (CPVM/SSVM/KVM) and other components/services (such as SAML, container services etc). The pluggable CA framework should allow developers to extend the functionality by implementing provider plugins that may work with other CA providers such as LetsEncrypt, an existing/internal CA infrastructure, or other certificate vendors.
Please see an initial FS and ideas on implementation in the following FS. Looking forward to your feedback.
FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Agent+Communications
JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-9993
Regards.
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
Posted by Rohit Yadav <ro...@shapeblue.com>.
Thank you all, the feature has been merged into master with extensive testing. I'll now proceed with sending a doc PR to document this feature, and usage of scripts.
- Rohit
________________________________
From: ilya <il...@gmail.com>
Sent: Thursday, August 24, 2017 12:20:41 AM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
Awesome work - thank you Rohit.
On 8/23/17 12:49 PM, Rohit Yadav wrote:
> All,
>
>
> No regression is seen in the smoke test run, however, I'll leave the PR open for some time to gather further feedback and reviews.
>
>
> - Rohit
>
> ________________________________
> From: Rohit Yadav <ro...@shapeblue.com>
> Sent: Friday, August 18, 2017 4:09:30 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
>
> All,
>
>
> The feature is ready for your review, please see:
>
> https://github.com/apache/cloudstack/pull/2239
>
>
> Thanks and regards.
>
> ________________________________
> From: Rohit Yadav <ro...@shapeblue.com>
> Sent: Thursday, July 13, 2017 12:59:02 PM
> To: dev@cloudstack.apache.org
> Subject: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
>
> All,
>
>
> With upcoming features such as the application service (container service), and existing features such as SAML, they all need some sort of certificate management and the idea with the proposed feature is to build a pluggable certificate authority manager (CA Manager). I would like to kick an initial discussion around how we can secure components of CloudStacks. A CA service/manager that can create/provision/deploy certificates providing both automated and semi-automated ways for deploying/setup of certificates using in-band (ssh, command-answer pattern) and out-of-band (ssh, ansible, chef etc) to CloudStack services (such as systemvm agents, KVM agents, possible webservices running in systemvms, VRs etc).
>
>
> While we do have some APIs and mechanisms to secure user/external facing services where we can use custom or failsafe SSL/TLS certificates, it's far from a complete solution. The present communications between CloudStack management server, its peers and agents (served on port 8250) is one way SSL handshaked connection, is not authenticated while may be secure by insecure certificates.
>
>
> As a first step, it is proposed to create a general purpose pluggable CA service with a default plugin implementation where CloudStack becomes a Root-CA and can issue self-signed certificates. Such certificates may be consumed by CloudStack agents (CPVM/SSVM/KVM) and other components/services (such as SAML, container services etc). The pluggable CA framework should allow developers to extend the functionality by implementing provider plugins that may work with other CA providers such as LetsEncrypt, an existing/internal CA infrastructure, or other certificate vendors.
>
>
> Please see an initial FS and ideas on implementation in the following FS. Looking forward to your feedback.
>
>
> FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Agent+Communications
>
> JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-9993
>
>
> Regards.
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
Posted by ilya <il...@gmail.com>.
Awesome work - thank you Rohit.
On 8/23/17 12:49 PM, Rohit Yadav wrote:
> All,
>
>
> No regression is seen in the smoke test run, however, I'll leave the PR open for some time to gather further feedback and reviews.
>
>
> - Rohit
>
> ________________________________
> From: Rohit Yadav <ro...@shapeblue.com>
> Sent: Friday, August 18, 2017 4:09:30 PM
> To: dev@cloudstack.apache.org
> Subject: Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
>
> All,
>
>
> The feature is ready for your review, please see:
>
> https://github.com/apache/cloudstack/pull/2239
>
>
> Thanks and regards.
>
> ________________________________
> From: Rohit Yadav <ro...@shapeblue.com>
> Sent: Thursday, July 13, 2017 12:59:02 PM
> To: dev@cloudstack.apache.org
> Subject: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
>
> All,
>
>
> With upcoming features such as the application service (container service), and existing features such as SAML, they all need some sort of certificate management and the idea with the proposed feature is to build a pluggable certificate authority manager (CA Manager). I would like to kick an initial discussion around how we can secure components of CloudStacks. A CA service/manager that can create/provision/deploy certificates providing both automated and semi-automated ways for deploying/setup of certificates using in-band (ssh, command-answer pattern) and out-of-band (ssh, ansible, chef etc) to CloudStack services (such as systemvm agents, KVM agents, possible webservices running in systemvms, VRs etc).
>
>
> While we do have some APIs and mechanisms to secure user/external facing services where we can use custom or failsafe SSL/TLS certificates, it's far from a complete solution. The present communications between CloudStack management server, its peers and agents (served on port 8250) is one way SSL handshaked connection, is not authenticated while may be secure by insecure certificates.
>
>
> As a first step, it is proposed to create a general purpose pluggable CA service with a default plugin implementation where CloudStack becomes a Root-CA and can issue self-signed certificates. Such certificates may be consumed by CloudStack agents (CPVM/SSVM/KVM) and other components/services (such as SAML, container services etc). The pluggable CA framework should allow developers to extend the functionality by implementing provider plugins that may work with other CA providers such as LetsEncrypt, an existing/internal CA infrastructure, or other certificate vendors.
>
>
> Please see an initial FS and ideas on implementation in the following FS. Looking forward to your feedback.
>
>
> FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Agent+Communications
>
> JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-9993
>
>
> Regards.
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com<http://www.shapeblue.com>
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London WC2N 4HSUK
> @shapeblue
>
>
>
>
Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
Posted by Rohit Yadav <ro...@shapeblue.com>.
All,
No regression is seen in the smoke test run, however, I'll leave the PR open for some time to gather further feedback and reviews.
- Rohit
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Friday, August 18, 2017 4:09:30 PM
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
All,
The feature is ready for your review, please see:
https://github.com/apache/cloudstack/pull/2239
Thanks and regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, July 13, 2017 12:59:02 PM
To: dev@cloudstack.apache.org
Subject: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
All,
With upcoming features such as the application service (container service), and existing features such as SAML, they all need some sort of certificate management and the idea with the proposed feature is to build a pluggable certificate authority manager (CA Manager). I would like to kick an initial discussion around how we can secure components of CloudStacks. A CA service/manager that can create/provision/deploy certificates providing both automated and semi-automated ways for deploying/setup of certificates using in-band (ssh, command-answer pattern) and out-of-band (ssh, ansible, chef etc) to CloudStack services (such as systemvm agents, KVM agents, possible webservices running in systemvms, VRs etc).
While we do have some APIs and mechanisms to secure user/external facing services where we can use custom or failsafe SSL/TLS certificates, it's far from a complete solution. The present communications between CloudStack management server, its peers and agents (served on port 8250) is one way SSL handshaked connection, is not authenticated while may be secure by insecure certificates.
As a first step, it is proposed to create a general purpose pluggable CA service with a default plugin implementation where CloudStack becomes a Root-CA and can issue self-signed certificates. Such certificates may be consumed by CloudStack agents (CPVM/SSVM/KVM) and other components/services (such as SAML, container services etc). The pluggable CA framework should allow developers to extend the functionality by implementing provider plugins that may work with other CA providers such as LetsEncrypt, an existing/internal CA infrastructure, or other certificate vendors.
Please see an initial FS and ideas on implementation in the following FS. Looking forward to your feedback.
FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Agent+Communications
JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-9993
Regards.
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
Posted by Rohit Yadav <ro...@shapeblue.com>.
All,
The feature is ready for your review, please see:
https://github.com/apache/cloudstack/pull/2239
Thanks and regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, July 13, 2017 12:59:02 PM
To: dev@cloudstack.apache.org
Subject: [DISCUSS][SECURITY] Feature: Secure CloudStack Communications
All,
With upcoming features such as the application service (container service), and existing features such as SAML, they all need some sort of certificate management and the idea with the proposed feature is to build a pluggable certificate authority manager (CA Manager). I would like to kick an initial discussion around how we can secure components of CloudStacks. A CA service/manager that can create/provision/deploy certificates providing both automated and semi-automated ways for deploying/setup of certificates using in-band (ssh, command-answer pattern) and out-of-band (ssh, ansible, chef etc) to CloudStack services (such as systemvm agents, KVM agents, possible webservices running in systemvms, VRs etc).
While we do have some APIs and mechanisms to secure user/external facing services where we can use custom or failsafe SSL/TLS certificates, it's far from a complete solution. The present communications between CloudStack management server, its peers and agents (served on port 8250) is one way SSL handshaked connection, is not authenticated while may be secure by insecure certificates.
As a first step, it is proposed to create a general purpose pluggable CA service with a default plugin implementation where CloudStack becomes a Root-CA and can issue self-signed certificates. Such certificates may be consumed by CloudStack agents (CPVM/SSVM/KVM) and other components/services (such as SAML, container services etc). The pluggable CA framework should allow developers to extend the functionality by implementing provider plugins that may work with other CA providers such as LetsEncrypt, an existing/internal CA infrastructure, or other certificate vendors.
Please see an initial FS and ideas on implementation in the following FS. Looking forward to your feedback.
FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+Agent+Communications
JIRA: https://issues.apache.org/jira/browse/CLOUDSTACK-9993
Regards.
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue