If a service is compromised, how compromised is the system?

asked 2014-03-30 17:45:02 -0500

houckrj gravatar image

BLUF Since OpenStack is a distributed system, how compromised does the system become when a single service is compromised?

Details I am looking at this from an insider threat, not an external threat. Obviously, Keystone would be a 100% compromise as the thread can create what ever token they want. In Havana, it would appear that Ceilometer would have close to 0% on the actual operations. While billing make be affected and usage information gathered, the system would still operate properly.

While I have been reading up on OpenStack, I have not seen anything detailed like this. Different policies could be implemented for each service depending on their capabilities.

Additionally, I am looking for "flow of control" between services. I have not found this in the documentation and would like to see what steps the system goes through when answering a request.

While I have attempted to search the forum for similar topics, I did not see any. I have a limited knowledge of OpenStack and may not have been using the proper terms.

edit retag flag offensive close merge delete


An excellent question. While waiting for answers here, may I also suggest posting it on the openstack-security mailing list: http://lists.openstack.org/cgi-bin/ma...

fifieldt gravatar imagefifieldt ( 2014-04-01 23:34:24 -0500 )edit

You might also want to have a look in the Security Guide if you haven't already ( http://docs.openstack.org/sec/ ) as there may be content in there which addresses your question.

fungi gravatar imagefungi ( 2014-04-02 09:15:52 -0500 )edit

Thank you for your replies. I have been looking at the Security Guide and it is the basis of most of my information at this point. While it does put emphasis on certain areas, it doesn't really quantify the importance of a service. Also, now one would define the extent of compromise could vary.

houckrj gravatar imagehouckrj ( 2014-04-02 10:03:18 -0500 )edit