subject:"\[openstack\-dev\] \[Fuel\] API services available on public VIP"

Re: [openstack-dev] [Fuel] API services available on public VIP

2015-11-16 Thread Matthew Mosesohn

I haven't seen any more discussion on this topic. It looks like since we
default to enabling SSL/TLS on deployments, there's no reason to block
access to public API endpoints.

On Fri, Nov 13, 2015 at 5:15 PM, Vladimir Kuklin 
wrote:

> Adam
>
> I think, the answer is realtively simple - if user does not want to expose
> those APIs, he can easily configure his infra to filter this traffic. We
> just need to mention this in Ops Guide.
>
> On Fri, Nov 13, 2015 at 4:02 PM, Adam Heczko  wrote:
>
>> Hello fuelers,
>>
>> today I'd like to raise a questions about Fuel deployment practice
>> related to Public (external) network.
>> Current approach is to expose by default over public IP openstack API
>> endpoints like nova, cinder, glance, neutron etc. These API services are
>> exposed through HAProxy with TLS support, so this approach seems to be
>> relatively secure.
>> OTOH industry practice is to don't expose over public IPs too much and
>> rather rely on user action / decision to expose API access to the public.
>> I'd like to ask for your opinions regarding this topic and approach taken
>> by Fuel.
>>
>> Thank you,
>>
>> --
>> Adam Heczko
>> Security Engineer @ Mirantis Inc.
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Yours Faithfully,
> Vladimir Kuklin,
> Fuel Library Tech Lead,
> Mirantis, Inc.
> +7 (495) 640-49-04
> +7 (926) 702-39-68
> Skype kuklinvv
> 35bk3, Vorontsovskaya Str.
> Moscow, Russia,
> www.mirantis.com 
> www.mirantis.ru
> vkuk...@mirantis.com
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Fuel] API services available on public VIP

2015-11-13 Thread Vladimir Kuklin

Adam

I think, the answer is realtively simple - if user does not want to expose
those APIs, he can easily configure his infra to filter this traffic. We
just need to mention this in Ops Guide.

On Fri, Nov 13, 2015 at 4:02 PM, Adam Heczko  wrote:

> Hello fuelers,
>
> today I'd like to raise a questions about Fuel deployment practice related
> to Public (external) network.
> Current approach is to expose by default over public IP openstack API
> endpoints like nova, cinder, glance, neutron etc. These API services are
> exposed through HAProxy with TLS support, so this approach seems to be
> relatively secure.
> OTOH industry practice is to don't expose over public IPs too much and
> rather rely on user action / decision to expose API access to the public.
> I'd like to ask for your opinions regarding this topic and approach taken
> by Fuel.
>
> Thank you,
>
> --
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Yours Faithfully,
Vladimir Kuklin,
Fuel Library Tech Lead,
Mirantis, Inc.
+7 (495) 640-49-04
+7 (926) 702-39-68
Skype kuklinvv
35bk3, Vorontsovskaya Str.
Moscow, Russia,
www.mirantis.com 
www.mirantis.ru
vkuk...@mirantis.com
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Fuel] API services available on public VIP

2015-11-13 Thread Adam Heczko

Hello fuelers,

today I'd like to raise a questions about Fuel deployment practice related
to Public (external) network.
Current approach is to expose by default over public IP openstack API
endpoints like nova, cinder, glance, neutron etc. These API services are
exposed through HAProxy with TLS support, so this approach seems to be
relatively secure.
OTOH industry practice is to don't expose over public IPs too much and
rather rely on user action / decision to expose API access to the public.
I'd like to ask for your opinions regarding this topic and approach taken
by Fuel.

Thank you,

-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Fuel] API services available on public VIP

Re: [openstack-dev] [Fuel] API services available on public VIP

[openstack-dev] [Fuel] API services available on public VIP

3 matches

Site Navigation

Mail list logo

Footer information