Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE OpenStack Cloud 9

Security Guide Edit source

Publication Date: 01/07/2022
1 SUSE® OpenStack Cloud: Security Planning and Features
1.1 Security Planning
1.2 Security Features in SUSE OpenStack Cloud 9
1.3 Role-Based Access Control (RBAC) Support for neutron Networks
1.4 Network Security Group Logging and Auditing
1.5 Separate Service Administrator Role
1.6 Inter-service Password Enhancements
1.7 Data In Transit Protection
1.8 Data-at-Rest Protection Using Project-Based Encryption
1.9 CADF-Compliant Security Audit Logs
1.10 glance-API Rate Limit to Address CVE-2016-8611
2 Key Management with the barbican Service
2.1 barbican Service Overview
2.2 Key Features
2.3 Installation
2.4 Auditing barbican Events
2.5 barbican Key Management Service Bootstrap Data
2.6 Known issues and workarounds
3 Key Management Service Administration
3.1 Post-installation verification and administration
3.2 Updating the barbican Key Management Service
3.3 barbican Settings
3.4 Enable or Disable Auditing of barbican Events
3.5 Updating the barbican API Service Configuration File
3.6 Starting and Stopping the barbican Service
3.7 Changing or Resetting a Password
3.8 Checking Barbican Status
3.9 Updating Logging Configuration
4 Service Admin Role Segregation in the Identity Service
4.1 Overview
4.2 Pre-Installed Service Admin Role Components
4.3 Features and Benefits
4.4 Roles
5 Role-Based Access Control in neutron
5.1 Creating a Network
5.2 Creating an RBAC Policy
5.3 Listing RBACs
5.4 Listing the Attributes of an RBAC
5.5 Deleting an RBAC Policy
5.6 Sharing a Network with All Tenants
5.7 Target Project (demo2) View of Networks and Subnets
5.8 Target Project: Creating a Port Using demo-net
5.9 Target Project Booting a VM Using Demo-Net
5.10 Limitations
6 Enabling Network Security Group Logging
7 Configuring keystone and horizon to use X.509 Client Certificates
7.1 Keystone Configuration
7.2 HAProxy Configuration
7.3 Create CA and client certificates
7.4 Horizon Configuration
7.5 Browser configuration
7.6 User accounts
7.7 How it works
8 Transport Layer Security (TLS) Overview
8.1 Comparing Clean Installation and Upgrade of SUSE OpenStack Cloud
8.2 TLS Configuration
8.3 Enabling TLS for MySQL Traffic
8.4 Enabling TLS for RabbitMQ Traffic
8.5 Troubleshooting TLS
9 Preventing Host Header Poisoning
10 Encryption of Passwords and Sensitive Data
10.1 SSH Introduction
10.2 Protecting sensitive data on the Cloud Lifecycle Manager
10.3 Interacting with Encrypted Files
11 Encryption of Ephemeral Volumes
11.1 Enabling ephemeral volume encryption
12 Refining Access Control with AppArmor
12.1 AppArmor in SUSE OpenStack Cloud 9
13 Data at Rest Encryption
13.1 Configuring KMIP and ESKM
13.2 Configuring Cinder Volumes for Encryption
13.3 For More Information
14 glance-API Rate Limit (CVE-2016-8611)
15 Security Audit Logs
15.1 The need for auditing
15.2 Audit middleware
15.3 Centralized auditing configuration

Copyright © 2006– 2022 SUSE LLC and contributors. All rights reserved.

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License : https://creativecommons.org/licenses/by/3.0/legalcode.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.

Print this page