OpenStack components uses the OSLO messaging security library to communicate
with worker
processes running on compute nodes and a cloud controller
node. For best possible performance and scalability OSLO library does not
employ signing or encryption. As a result, messaging security depends on
message broker’s security.
You need to protect a messaging broker. Mirantis OpenStack uses the
RabbitMQ messaging broker.
Recommendations for messaging security and RabbitMQ:
Delete the RabbitMQ guest user.
Separate API functional publishers (Nova, Cinder, Neutron, and others) by
leveraging rabbit_virtual_host
configuration setting for each API and
creating appropriate Rabbit virtual host:
rabbitmqctl add_vhost
For each RabbitMQ virtual host create unique credentials along with appropriate permissions:
rabbitmqctl add_user
rabbitmqctl set_permissions
Monitor RabbitMQ network activity with iptables or other monitoring tool to get accounting information.
Forward the RabbitMQ and HAProxy logs to the central syslog server.
Use TLS for messaging transport security.
See also