my guess is horizon admin panels would bomb out... but it would be trivial to replace the admin panels with a warning page.
-matt On Tue, Oct 21, 2014 at 10:23 AM, Adam Young <ayo...@redhat.com> wrote: > On 10/20/2014 12:11 AM, Tim Goddard wrote: > >> Hello all, >> >> We have an established OpenStack cloud and as part of a round of security >> hardening would like to add some additional restrictions on the use of >> "admin" >> permissions. >> >> In particular, we would like to limit it so that API endpoints requiring >> admin >> access can only be used from a VPN (known range of source IP addresses). >> We do >> not want the public-facing APIs to expose these endpoints, even to users >> with >> the right credentials. >> >> Has anyone already been through a similar process and have a method or >> advice >> for us to follow? >> > From a Keystone perspective, what you want to do is to user the "admin" > and "main > configuration to have each mapped to different interfaces on the HTTPD > server machine don't try to do this with Eventlet, as Eventlet alone > doesn't support it. > > You'll have to decide what you want to do about Horizon, as the Admin > operations on Keystone from Horizon are RBAC controlled. You could run two > different Horizon instances, one internal and one external, and give each a > seaprate Auth URL. Then the Admin port would be hidden from Horizon, but I > think the admin fields wouls still show up on the Horizon portal, just be > non-functional. I'll let some Horizon folks chime in with how to deal with > that. > > Unfortunately, each service defines these things a little differntly, and > not all fo them run in Eventlet. For the ones that run in Eventlet, you'll > need to use some form of termination in front of them to bind to different > interfaces. > > > > >> Cheers, >> >> Tim >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
