Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Performing security operations

Red Hat OpenStack Services on OpenShift 18.0

Operating security services in a Red Hat OpenStack Services on OpenShift environment

OpenStack Documentation Team

Abstract

Back up and restore secure information, rotate passwords, and operate secure services in a Red Hat OpenStack Services on OpenShift environment.

Providing feedback on Red Hat documentation
Copy link

We appreciate your feedback. Tell us how we can improve the documentation.

To provide documentation feedback for Red Hat OpenStack Services on OpenShift (RHOSO), create a Jira issue in the OSPRH Jira project.

Procedure

  1. Log in to the Red Hat Atlassian Jira.
  2. Click the following link to open a Create Issue page: Create issue
  3. Complete the Summary and Description fields. In the Description field, include the documentation URL, chapter or section number, and a detailed description of the issue.
  4. Click Create.
  5. Review the details of the bug you created.

Chapter 1. Rotate user credentials
Copy link

Create and update usernames or passwords in Red Hat OpenStack Services on OpenShift (RHOSO) to secure system access. Rotating credentials prevents unauthorized entry and ensures compliance with your organization’s security standards.

RHOSO provides the RHOSO administrator with easy to perform procedures that can rotate the following user credentials without causing service disruption:

  • To rotate the user credentials of the MariaDB database account of an OpenStack service.
  • To rotate the password of the root database account of a Galera database.
  • To rotate the user credentials of a dedicated RabbitMQ user.

1.1. Prerequisites
Copy link

  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.
  • You have the oc command line tool installed on your workstation.

Rotating credentials prevents unauthorized entry and ensures compliance with your organization’s security standards. In Red Hat OpenStack Services on OpenShift (RHOSO) rotating the credentials of a MariaDB database account for an OpenStack service requires creating a new database account. Because having two sets of credentials guarantees that there will not be a service outage during the process of updating these credentials.

In RHOSO every deployed OpenStack service that requires database access has a unique MariaDB database account managed by a MariaDBAccount custom resource (CR), which provides the user credentials. This database account targets a specific database, which by default is the openstack database. You can use the following command to list all the available database accounts oc get mariadbaccount.

The OpenStackControlPlane CR uses the name specified by the databaseAccount: parameter of a service to initiate the process of creating the database account for this service and its associated MariaDBAccount CR. Therefore, to rotate the database account user credentials for an OpenStack service, the RHOSO administrator must edit the OpenStackControlPlane CR to specify a new name for the databaseAccount: parameter of this service and apply this change.

Important

To avoid interruptions to long-running migrations that cannot be interrupted, use a maintenance window. For example, Block Storage (cinder) volume migrations or Compute service (nova) host migrations.

After the new database account has been successfully created, the old database account remains until the resources are updated to use the new database account.

The following procedure rotates the user credentials of the default database account for the OpenStack Identity service (keystone) in the control plane, which is called keystone.

Procedure

  1. Set the default RHOSO namespace: 

    $ oc project <namespace>
    • Replace <namespace> with the namespace of the required RHOSO environment, for example, openstack.

  2. Edit your OpenStackControlPlane CR on your workstation: 

    $ oc edit openstackcontrolplane <name>
    • Replace <name> with the name of your YAML OpenStackControlPlane CR, which you can use the following command to retrieve: oc get openstackcontrolplane.

  3. Locate the databaseAccount: parameter for the deployed OpenStack service in this CR file.

    Locate this databaseAccount: parameter for the OpenStack Identity service (keystone) in the OpenStackControlPlane CR: 

    ...
  keystone:
   ...
   template:
     ...
     databaseAccount: keystone

  4. Change the name of the existing database account, in this example keystone, to a new name.

    Note

    If this new name contains multiple words, separate each word with a dash, for example: my-new-keystone-database-account, do not use the _ character.

  5. Save and close the editor to apply this change.

  6. Wait for the deployment of the control plane to reach the Ready status: 

    $ oc wait openstackcontrolplane <name> --for=condition=Ready --timeout=600s

  7. You can use the following command to verify that the new database account has been successfully created for your OpenStack service: 

    $ oc get mariadbaccount

    In this example, the command output shows the new database account called my-new-keystone-database-account in the list of database accounts.

    If the old database account for this OpenStack service still appears in this list, you can use the following command to delete this account: oc delete mariadbaccounts <database-account-name> by replacing <database-account-name> with the name of the old database account, which in this example is the keystone database account.

In Red Hat OpenStack Services on OpenShift (RHOSO), rotating the password of the MariaDB database account for the root user prevents unauthorized access to its Galera database and ensures compliance with your organization’s security standards. This password rotation process requires creating a new secret containing the new password and updating the MariaDB root database account with this secret. This process ensures that the root database password is rotated without service disruption.

The MariaDB database account for the root user of a Galera database is managed by a MariaDBAccount custom resource (CR). But this database account is unlike the database accounts of other OpenStack services because:

  • Each root database account targets a specific Galera database, for example, the openstack database is managed by the openstack Galera CR.
  • The root database account has a static user name of root
  • The name of its MariaDBAccount CR adheres to a default naming convention, which for the openstack database is: openstack-mariadb-root.

Therefore only the password is rotated for the root database account, by creating a new secret and assigning it to this MariaDBAccount CR. You can use the following command to list all the available database accounts, including the root database accounts: oc get mariadbaccount.

Note

Never modify the existing secret, always create a new secret when rotating the password for the root database account.

When the control plane is deployed a Secret CR, known as osp-secret is typically created containing the passwords for every deployed OpenStack service. This CR includes the DbRootPassword that specifies the password of the root database account of all the Galera databases specified by the control plane, such as the openstack database. This Secret CR is used for the initial deployment of the control plane only.

During the deployment of the control plane a secret named openstack-mariadb-root-db-secret is created containing the DbRootPassword from osp-secret. This openstack-mariadb-root-db-secret secret is referenced by the MariaDBAccount CR that manages the password of the root database account for the openstack database.

The following procedure rotates the password of the root database account that targets the openstack database, which is managed by the MariaDBAccount CR called openstack-mariadb-root. This procedure assumes that the control plane has recently been deployed and that the secret for this password is still called openstack-mariadb-root-db-secret.

Procedure

  1. Set the default RHOSO namespace: 

    $ oc project <namespace>
    • Replace <namespace> with the namespace of the required RHOSO environment, for example, openstack.

  2. Create a new secret CR YAML file containing the new password for the root database account of the openstack database. In this example this file is called: new-password-secret.yaml.

    Note

    Always use the stringData: property when creating your secrets because you can specify the secret data as unencoded, plain-text strings, which are automatically encoded to base64. 

    $ cat > new-password-secret.yaml << 'EOF'
apiVersion: v1
kind: Secret
metadata:
  name: <new-secret-name>
  namespace: openstack
type: Opaque
stringData:
  DatabasePassword: "<your-new-password>"
EOF

    • Replace <new-secret-name> with the new secret name, for example, openstack-mariadb-root-db-secret-2025-02.

      Note

      Separate each word in the secret name with a dash.

    • Replace <your-new-password> with the new password that you must generate, according to your organization’s security standards.

      Tip

      Use strong passwords with a minimum of 32 characters that use mixed character types.

  3. Apply the new secret CR: 

    $ oc apply -f new-password-secret.yaml

  4. Edit the openstack-mariadb-root MariaDBAccount CR: 

    $ oc edit mariadbaccount openstack-mariadb-root

  5. Specify the name of the new secret you created in step 1: 

    apiVersion: mariadb.openstack.org/v1beta1
kind: MariaDBAccount
metadata:
  name: openstack-mariadb-root
  namespace: openstack
spec:
  userName: root
  accountType: System
  secret: <new-secret-name>
    • Replace <new-secret-name> with the new secret name that you have created in step 1, which in this example is: openstack-mariadb-root-db-secret-2025-02.
  6. Save and close this editor to apply this change.

  7. Verify that this password rotation process is successful, by using the following command, which in this example retrieves the current password of the root database account for the openstack database: 

    $ oc get galera <galera-database-cr-name> -o jsonpath='{.status.rootDatabaseSecret}'

    • Replace <galera-database-cr-name> with the name of the Galera CR that manages the required database this is openstack in this example.

      This command retrieves the old secret name, which in this example is: openstack-mariadb-root-db-secret until the password rotation process of the root database account is complete. When the password is successfully rotated this command retrieves the new secret name, which in this example is: openstack-mariadb-root-db-secret-2025-02.

  8. You can safely delete the old secret for this root database account after you have confirmed that the password is successfully rotated, by using the following command: 

    $ oc delete secret <old-secret-name>
    • Replace <old-secret-name> with the name of the previous secret, which in this example is: openstack-mariadb-root-db-secret.

If you know the Galera name of the required database then you can use a script to decode the password from the secret of its root database account.

The Galera name depends on your control plane deployment. The name used in the default control plane is openstack for the database referenced by all the deployed OpenStack services that require a database and openstack-cell1 for the database used by the OpenStack Compute service for cell1. You can use the following command to list all of your deployed Galera instances: 

$ oc get galera -n <namespace>
  • Replace <namespace> with the namespace of the required RHOSO environment, for example, openstack.

The following script decodes and retrieves the password from the secret of a root database account for the openstack Galera database: 

# Set the Galera instance name
GALERA_NAME="openstack"

# Get the secret name
SECRET_NAME=$(oc get galera $GALERA_NAME -n openstack -o jsonpath='{.status.rootDatabaseSecret}')

# Decode the password
oc get secret $SECRET_NAME -n openstack -o jsonpath='{.data.DatabasePassword}' | base64 -d
echo  # Print newline

1.4. Create RabbitMQ users for RHOSO services
Copy link

By default, Red Hat OpenStack Services on OpenShift (RHOSO) creates a shared RabbitMQ user for all OpenStack services. For security and isolation, you can create dedicated RabbitMQ users for your OpenStack services.

Depending upon the RabbitMQ messaging requirements of a RHOSO service, you can create a dedicated RabbitMQ user for the RPC communication of the service, by adding the user: parameter to the template.messagingBus configuration section and specifying the required user name. Similarly you can create a dedicated RabbitMQ user for the notifications of the service, by adding the user: parameter to the template.notificationsBus configuration section and specifying the required user name. For more information, see Understand the RabbitMQ interface for OpenStack services in the Monitoring high availability services guide.

Important

RHOSO manages the passwords for the RabbitMQ user names that you specify.

RabbitMQ user credential creation process
  1. The RHOSO administrator must specify the dedicated RabbitMQ users for the required OpenStack services in the OpenStackControlPlane CR.
  2. The RHOSO administrator must update the OpenStackControlPlane CR.

  3. RHOSO creates RabbitMQ users using the names that you specify.

    Note

    Do not specify the _ character when creating user names.

  4. RHOSO generates a secure random password for each new RabbitMQ user.
  5. RHOSO stores each password in a Kubernetes secret.
  6. RHOSO configures each OpenStack service to use their RabbitMQ user credentials

Therefore, the RHOSO administrator must routinely change the user name of the dedicated RabbitMQ users of the OpenStack services to rotate their user credentials. For more information, see Rotating the credentials of RabbitMQ users.

The following procedure creates a dedicated RabbitMQ user named cinder-user1 for the RabbitMQ RPC communication of the Block Storage service (cinder), configured in its template.messagingBus configuration section.

In this example, the OpenStackControlPlane CR uses the global messagingBus RabbitMQ setting to specify rabbitmq as the RabbitMQ cluster for the Block Storage service (cinder).

Procedure

  1. Set the default RHOSO namespace: 

    $ oc project <namespace>
    • Replace <namespace> with the namespace of the required RHOSO environment, for example, openstack.

  2. Edit your OpenStackControlPlane CR on your workstation: 

    $ oc edit openstackcontrolplane <name>
    • Replace <name> with the name of your YAML OpenStackControlPlane CR, which you can use the following command to retrieve: oc get openstackcontrolplane.

  3. Add the user parameter to the spec.cinder.template.messagingBus section and provide the user name. In this example, this is cinder-user1:

    Note

    Do not specify the _ character when creating new names because this character is unsupported. 

      spec:
   ...
    cinder:
      ...
      template:
        messagingBus:
          user: cinder-user1
  4. Save and close the editor to apply this change.

  5. Wait for the deployment of the control plane to reach the Ready status: 

    $ oc wait openstackcontrolplane <name> --for=condition=Ready --timeout=600s

Verification:

  • After the deployment of the control plane completes, verify that the dedicated RabbitMQ user is created: 

    $ oc get rabbitmquser
NAME                                  CLUSTER    USERNAME   VHOST   STATUS   MESSAGE
cinder-cinder-transport-cinder-user1-user   rabbitmq   cinder-user1     /       True     Setup complete

    • NAME: specifies the resource name for this RabbitMQ user, which adheres to the following format: <service>-<component>-<transport-type>-<username>-user

      Where:

      • <service> is the OpenStack service name. In this example, this is cinder for the Block Storage service.
      • <component> is the component of the specified OpenStack service. In this example, this is cinder for the Block Storage service component. All the other Block Storage components, such as the Block Storage API and scheduler share this user.
      • <transport-type> is the type of RabbitMQ messaging. In this example, this is transport to indicate RPC messaging. If we were configuring the notification messaging, then this would be the notifications-transport.
      • <username> is the name of the user that you specify. In this example, this is cinder-user1.
      • user indicates that this is a RabbitMQUser resource.
    • CLUSTER specifies the RabbitMQ cluster this user belongs to. In this example, this is rabbitmq.
    • USERNAME specifies the name of the user that you specify. In this example, this is cinder-user1.
    • VHOST specifies the RabbitMQ virtual host that this user can access. In this example, this is the default virtual host /.
    • STATUS specifies whether this user was created successfully True or not False.
    • MESSAGE specifies the message associated with the specified STATUS.

1.5. Rotate RabbitMQ user credentials
Copy link

Rotating credentials prevents unauthorized entry and ensures compliance with your organization’s security standards. In Red Hat OpenStack Services on OpenShift (RHOSO) rotating the credentials of the dedicated RabbitMQ users of your OpenStack services involves changing their user names. Because RHOSO manages the passwords for the RabbitMQ user names that you specify and having two sets of credentials guarantees that there will not be a service outage during the process of updating these credentials.

RabbitMQ user credential rotation process
  1. The RHOSO administrator must have created the initial RabbitMQ users for the required OpenStack services in the OpenStackControlPlane custom resource (CR) file. For more information, see Create RabbitMQ users for OpenStack services.
  2. The RHOSO administrator must change these user names in the OpenStackControlPlane CR to rotate your RabbitMQ user credentials.
  3. The RHOSO administrator must update the OpenStackControlPlane CR.
  4. RHOSO creates new RabbitMQ users with their new names.
  5. RHOSO generates a new secure random password for each new user.
  6. RHOSO stores each password in a Kubernetes secret.
  7. RHOSO updates each service to use the new user credentials.
  8. RHOSO keeps the old user credentials until the RHOSO administrator deletes them manually.

The old RabbitMQ users cannot be automatically deleted because:

  • Services running on Compute nodes in the data plane use the RabbitMQ service.
  • Network agents running on external nodes use the RabbitMQ service.

Therefore automatically deleting the old users could break these services before they update to the new credentials. The RHOSO administrator must therefore verify that all services, including dataplane deployments, are using the new credentials before manually removing the old users.

The following procedure rotates the RabbitMQ credentials for the Block Storage service (cinder), by creating a new RabbitMQ user named cinder-user2 for the RabbitMQ RPC communication of the Block Storage service and removing the old user named cinder-user1.

Prerequisites

  • The OpenStack control plane is deployed with a dedicated RabbitMQ user for the required OpenStack service. In this example, the Block Storage service (cinder).
  • You have verified which RabbitMQ user name is currently specified for the required OpenStack service. In this example, the RabbitMQ user name is cinder-user1.

  • If the required OpenStack service must update Compute nodes and external services in the data plane, ensure that you have the latest OpenStackDataPlaneDeployment CR YAML file, for example, `openstack-edpm-deployment.yaml’.

    Note

    You must create a new OpenStackDataPlaneDeployment CR to start another Ansible execution that applies any changes you make to the data plane. This is because when an OpenStackDataPlaneDeployment CR successfully completes execution, it does not automatically execute the Ansible again, even if the OpenStackDataPlaneDeployment CR or related OpenStackDataPlaneNodeSet resources are changed.

Procedure

  1. Set the default RHOSO namespace: 

    $ oc project <namespace>
    • Replace <namespace> with the namespace of the required RHOSO environment, for example, openstack.

  2. Edit your OpenStackControlPlane CR on your workstation: 

    $ oc edit openstackcontrolplane <name>
    • Replace <name> with the name of your YAML OpenStackControlPlane CR, which you can use the following command to retrieve: oc get openstackcontrolplane.

  3. Update the user parameter of the spec.cinder.template.messagingBus section to specify the new user name. In this example, this is cinder-user2:

    Note

    Do not specify the _ character when creating new names because this character is unsupported. 

   spec:
   ...
     cinder:
       ...
       template:
         messagingBus:
           user: cinder-user2
  1. Save and close the editor to apply this change.

  2. Wait for the deployment of the control plane to reach the Ready status: 

    $ oc wait openstackcontrolplane <name> --for=condition=Ready --timeout=600s

  3. Optional: If this OpenStack service must update Compute nodes and external services in the data plane with the new RabbitMQ credentials, then you must:

    • Use the latest OpenStackDataPlaneDeployment CR YAML file to update and deploy the data plane, in this example, `openstack-edpm-deployment.yaml’: 

      $ oc apply -f openstack-edpm-deployment.yaml

    • Wait for the deployment of the data plane to reach the Ready status: 

      $ oc wait openstackdataplanedeployment <name> --for condition=Ready --timeout=1200s

    • Replace <name> with the name of your OpenStackDataPlaneDeployment CR that can be different to the YAML file name therefore use the following command to retrieve this name: oc get openstackdataplanedeployment, which in this example is edpm-deployment.

      In this example, because the Block Storage service (cinder) is not deployed in the data plane, these steps are not required.

  4. Verify that both the old and new RabbitMQ users exist, which in this example is cinder-user1 and cinder-user2: 

       $ oc get rabbitmquser
   NAME                                     CLUSTER    USERNAME    VHOST   STATUS   MESSAGE
   cinder-cinder-transport-cinder-user1-user      rabbitmq   cinder-user1      /       True     Setup complete
   cinder-cinder-transport-cinder-user2-user   rabbitmq   cinder-user2   /       True     Setup complete

    For a detailed explanation of these columns and their outputs, see Create RabbitMQ users for OpenStack services.

  5. Delete the old RabbitMQ user, which in this example is cinder-user1: 

    $ oc edit rabbitmquser <rabbitmq-user-name>
    • Replace <rabbitmq-user-name> with the fully qualified NAME of the old RabbitMQ user, specified by the oc get rabbitmquser command, which in this example is cinder-cinder-transport-cinder-user1-user.

    • Locate the metadata.finalizers section in this editor and delete the line containing rabbitmq.openstack.org/cleanup-blocked: 

      …
   metadata:
   …
     finalizers
     …
     - rabbitmq.openstack.org/cleanup-blocked
    • Save and exit the editor after deleting the line containing rabbitmq.openstack.org/cleanup-blocked.
    • Wait for the old RabbitMQ user to be automatically deleted.

  6. Verify that the old RabbitMQ user has been deleted: 

       $ oc get rabbitmquser
   NAME                                     CLUSTER    USERNAME    VHOST   STATUS   MESSAGE
  cinder-cinder-transport-cinder-user2-user   rabbitmq   cinder-user2   /       True     Setup complete

    In this example, the old user cinder-cinder-transport-cinder-user1-user should no longer appear in the list.

Configure secure role-based access control (SRBAC) in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce granular access to policies. Implementing SRBAC limits users to the specific permissions required for their role, which strengthens the security of your environment.

All users who authenticate to the Identity service (keystone) in RHOSO 18.0 use SRBAC. SRBAC is the updated role-based authentication schema, and is present in all deployments of RHOSO and is used by all the policies.

Understand secure role-based access control (SRBAC) personas in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce granular access control. These personas define the specific scope and actions allowed for users, ensuring they have only the permissions necessary for their tasks.

The Identity service (keystone) implements secure roles using personas, which are scope-specific roles. You can assign roles to users or groups that are either project or system scoped.

2.1.1. Roles
Copy link

Roles define which actions users can perform. There are three OpenStack roles that are available within the project and system scopes.

admin
Granting the admin role in any scope includes all create, read, update, or delete operations on resources and APIs.
member
The member role is allowed to create, read, update, and delete resources that are owned by the scope in which they are a member.
reader
The reader role is for read-only operations, regardless of the scope it is applied to. This role can view resources across the entirety of the scope to which it is applied.

2.1.2. Scope
Copy link

The scope is the context in which operations are performed. All OpenStack resources are owned by a specific project, so access to those resources is granted by assigning a role to the project scope.

2.1.3. Personas
Copy link

Project admin
This persona includes create, read, update and delete operations on resources across projects, which includes adding and removing users and other projects. Granting a user admin in any scope grants full API access to all APIs in all available scopes.
Project member
The project member persona is for users who are granted permission to consume resources within the project scope. This persona can create, list, update, and delete resources within the project to which they are assigned. This persona implies all permissions granted to project readers.
Project reader
The project reader persona is for users who are granted permission to view non-sensitive resources in the project. On projects, assign the reader role to end users who need to inspect or view resources, or to auditors, who only need to view project-specific resources within a single project for the purposes of an audit The project-reader persona will not address all auditing use cases.
System admin
System administrators are typically cloud administrators who can affect the behavior of the deployment. Granting a user admin in any scope grants full API access to all APIs in all available scopes.
System members and system readers
System members and system readers have the same authorization and can view all resources within keystone. The system reader persona is useful for auditors if the audit does not require access to sensitive information.
Note

Additional personas based on the domain scope are not available for use.

Assign roles in a secure role-based access control (SRBAC) environment in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce granular access. This configuration limits users to the specific permissions required for their tasks.

You can assign users to the role of admin, member, or reader within either the project or system scope.

Prerequisites

  • You must have the admin role assigned to your user account to assign roles.

Procedure

  1. Use syntax similar to the following command to provide a user a role with a project scope: 

    $ openstack role add --user user1 --user-domain Default --project demo --project-domain Default <role>
    • Replace <role> with either reader, member, or admin.

  2. Use syntax similar to the following command to provide a user a role with a system scope: 

    $ openstack role add --user user1 --user-domain Default --system all <role>

Use the Identity service in Red Hat OpenStack Services on OpenShift (RHOSO) to control system access. This service manages user authentication and authorization for your cloud environment.

As a cloud administrator, you can manage projects, users, and roles.

Projects within the RHOSO data plane are organizational units containing a collection of resources. You can assign OpenStack users to roles within those projects. Roles define the actions that those users can perform on the resources within a given project. Users can be assigned roles in multiple projects.

Each RHOSO data plane deployment must include at least one user assigned to a role within a project. As a cloud administrator, a user can perform the following actions within OpenStack:

  • Add, update, and delete projects and users.
  • Assign users to one or more roles, and change or remove these assignments.
  • Manage projects and users independently from each other.

You can also configure user authentication with the Identity service to control access to services and endpoints.

3.1. Authenticate with clouds.yaml
Copy link

You must specify the name of the cloud detailed in your clouds.yaml file to execute openstack client commands on the cloud.

Prerequisites

  • The administrator has created a project for you and they have provided you with a clouds.yaml file for you to access the cloud.
  • You have installed the python-openstackclient package.

Procedure

  1. Use the --os-cloud option with each command: 

    $ openstack flavor list --os-cloud <cloud_name>
    • Replace <cloud_name> with the name of the cloud detailed in your clouds.yaml file.

  2. Optional: If you access more than one cloud, create an environment variable for each cloud name in your bashrc file: 

    `export OS_CLOUD1=<cloud_name>`

Chapter 4. Managing users
Copy link

Manage users in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce secure access control. Creating and maintaining user accounts ensures that only authorized individuals have the necessary credentials to interact with cloud resources.

As an OpenStack administrator, you can add, modify, and delete users in the OpenStack Dashboard. Users can be members of one or more projects. You can manage projects and users independently from each other.

4.1. Creating users with the Dashboard
Copy link

Create users in the Red Hat OpenStack Services on OpenShift (RHOSO) dashboard to control system access. Assigning unique credentials ensures accountability. You can define specific permissions for each user by selecting their required role.

You can assign a primary project and role to the user. Users that you create with OpenStack Dashboard (horizon) are Identity service (keystone) users by default. You can integrate Active Directory users by configuring the LDAP provider included with the Identity service.

Procedure

  1. Log in to the Dashboard as an admin user.
  2. Select Identity > Users.
  3. Click Create User.
  4. Enter a user name, email, and preliminary password for the user.
  5. Select a project from the Primary Project list.
  6. Select a role for the user from the Role list. The default role is member.
  7. Click Create User.

4.2. Editing users with the Dashboard
Copy link

Edit users with the dashboard in Red Hat OpenStack Services on OpenShift (RHOSO) to update account details. This configuration ensures that user information remains current and accurate within the environment.

You can update user details, including the primary project.

Procedure

  1. Log in to the OpenStack Dashboard as an admin user.
  2. Select Identity > Users.
  3. In the Actions column, click Edit.
  4. In the Update User window, you can update the User Name, Email, and Primary Project.
  5. Click Update User.

Enable or disable user accounts in the Red Hat OpenStack Services on OpenShift (RHOSO) dashboard to manage system access. This action allows you to temporarily suspend or reinstate a user’s access to the environment without permanently deleting their account.

Disabling an account immediately revokes login permissions while preserving the user’s data and history for audit purposes.

Note

This action is reversible, unlike deleting a user.

Limitations
  • You cannot disable or enable more than one user at a time.
  • You cannot set the primary project of a user to active.

A disabled user cannot:

  • Log in to the Dashboard.
  • Get access to OpenStack services.
  • Do any user-project action in the Dashboard.

Procedure

  1. As an admin user in the Dashboard, select Identity > Users.
  2. In the Actions column, click the arrow, and select Enable User or Disable User. In the Enabled column, the value then updates to either True or False.

4.4. Deleting a user with the Dashboard
Copy link

Delete user accounts in the Red Hat OpenStack Services on OpenShift (RHOSO) dashboard to permanently revoke system access. You must be a user with an administrative role to delete other users. Removing unused accounts prevents unauthorized entry and helps you maintain a secure environment.

Note

This action cannot be reversed.

Procedure

  1. As an admin user in the OpenStack Dashboard, select Identity > Users.
  2. Select the users you want to delete.
  3. Click Delete Users. The Confirm Delete Users window is displayed.
  4. Click Delete Users to confirm the action.

Chapter 5. Managing user roles
Copy link

Manage roles in Red Hat OpenStack Services on OpenShift (RHOSO) to define specific user permissions. RHOSO uses secure role-based access control (SRBAC) to manage access to its resources. Roles define which actions users can perform.

By default, there are three predefined roles:

  • A reader role for viewing permissions on specified projects.
  • A member role for creating and managing resources within specified projects.
  • An admin role to enable non-admin users to administer the environment.

You can also create custom roles specific to your environment, by creating a custom policy.yaml file.

Important

When defining custom policies, ensure that you reference the OpenStack 2023.1 (Antelope) documentation. Newer versions of OpenStack can reference policy keys or values that are not supported in RHOSO 18.0.

5.1. Understanding the OpenStack admin role
Copy link

It is important to understand the specific permissions granted to the admin role in Red Hat OpenStack Services on OpenShift (RHOSO). Only assign this role to users who require these permissions to perform their tasks.

When you assign a user the role of admin in an OpenStack project, this user has permissions to view, change, create, or delete any resource on any project. This user can create shared resources that are accessible across projects, such as publicly available glance images, or provider networks. Additionally, a user with the admin role can create or delete users and manage roles.

The project to which you assign a user the admin role is the default project in which openstack commands are executed. For example, if an admin user in a project named development runs the following command, a network called internal-network is created in the development project: 

$ openstack network create internal-network

The admin user can create an internal-network in any project by using the --project parameter: 

$ openstack network create internal-network --project testing

5.2. Viewing roles with the OpenStack CLI
Copy link

List the available roles using the openstack CLI in Red Hat OpenStack Services on OpenShift (RHOSO) to verify which roles exist before assigning them to users. View the details of specific roles to identify their access levels.

Note

To get detailed information on the permissions associated with each role, you must audit its access to each API call.

Prerequisites

  • You must have the admin role assigned to your user account to list and view roles.

Procedure

  1. List the available predefined roles: 

    $ openstack role list

  2. View details for a specific role: 

    $ openstack role show <role>
    • Replace <role> with one of the listed roles, for example, member.

Assign roles in a secure role-based access control (SRBAC) environment in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce granular access. This configuration limits users to the specific permissions required for their tasks.

You can assign users to the role of admin, member, or reader within either the project or system scope.

Prerequisites

  • You must have the admin role assigned to your user account to assign roles.

Procedure

  1. Use syntax similar to the following command to provide a user a role with a project scope: 

    $ openstack role add --user user1 --user-domain Default --project demo --project-domain Default <role>
    • Replace <role> with either reader, member, or admin.

  2. Use syntax similar to the following command to provide a user a role with a system scope: 

    $ openstack role add --user user1 --user-domain Default --system all <role>

5.4. Audit users and roles
Copy link

You can report on role assignments per user and associated privileges. Red Hat OpenStack Services on OpenShift (RHOSO) uses secure role-based access control (SRBAC) by default. SRBAC defines three roles that operate within both the project and system scopes: admin, member, and reader. These roles include one another hierarchically: the admin role includes member, and member includes reader. When you are auditing, you can review role assignments in both the project scope and the system scope to obtain a complete picture of user privileges.

Prerequisites

  • You have access to the openstackclient pod, or you have the python-openstackclient package installed on a workstation configured with a clouds.yaml file.

Procedure

  1. Connect to the openstackclient pod: 

    $ oc rsh -n openstack openstackclient

  2. View the roles currently in your environment. You can use the -f {csv,json,table,value,yaml} option to export these results: 

    $ openstack role list -c Name -f value

admin
member
reader

  3. List all users that are members of a particular role. For example, to see all project-scoped users that have the admin role, run the following: 

    $ openstack role assignment list --names --role admin

  4. To audit system-scoped role assignments, use the --system all flag. For example, to see all users with system-scoped roles, run the following: 

    $ openstack role assignment list --names --system all
    Note

    The system reader persona is useful for auditors or members of a support team who need read-only visibility across the entire deployment. For more information, see Secure role based access control in Red Hat OpenStack Services on OpenShift in Performing security operations.

Chapter 6. Managing groups of users
Copy link

Manage the Identity Service (keystone) groups in Red Hat OpenStack Services on OpenShift (RHOSO) to streamline access control. Assigning roles to groups rather than individual users simplifies administration and ensures consistent permissions across your projects.

6.1. Configuring groups with the Dashboard
Copy link

You can use the Dashboard service (horizon) to manage the membership of Identity service (keystone) groups. However, you must use the command-line to assign role permissions to a group.

Procedure

  1. Create a group

    1. Log in to the dashboard as a user with administrative privileges.
    2. Select Identity > Groups.
    3. Click +Create Group.
    4. Enter a name and description for the group.
    5. Click Create Group.

  2. Manage group membership

    1. Log in to the dashboard as a user with administrative privileges.
    2. Select Identity > Groups.
    3. Click Manage Members for the group that you want to edit.
    4. Use Add users to add a user to the group. If you want to remove a user, mark its checkbox and click Remove users.

Chapter 7. Managing projects
Copy link

As an OpenStack administrator, you can create and manage projects in Red Hat OpenStack Services on OpenShift (RHOSO). A project is a pool of shared virtual resources, to which you can assign OpenStack users and groups. You can configure the quota of shared virtual resources in each project. You can create multiple projects that will not interfere with each other’s permissions and resources. Users can be associated with more than one project. Each user must have a role assigned for each project to which they are assigned.

7.1. Creating a project
Copy link

As an OpenStack administrator, you can create a project, which is a pool of shared virtual resources, to which you can assign members or OpenStack users and groups. You can also configure the quota or resource limits of the shared virtual resources in this project.

Procedure

  1. Log in to the Dashboard as a user with administrative privileges.
  2. Select Identity > Projects.
  3. Click Create Project.
  4. On the Project Information tab, enter a name and description for the project. The Enabled check box is selected by default.
  5. On the Project Members tab, add members to the project from the All Users list.
  6. On the Quotas tab, specify resource limits for the project.
  7. Click Create Project.

7.2. Editing a project
Copy link

As an OpenStack administrator, you can edit a project in Red Hat OpenStack Services on OpenShift (RHOSO) to change its name or description, enable or temporarily disable it, or update its members or OpenStack users and groups.

Note

The Enabled check box is selected by default. To temporarily disable the project, clear the Enabled check box. To enable a disabled project, select the Enabled check box.

Procedure

  1. Log in to the Dashboard as a user with administrative privileges.
  2. Select Identity > Projects.
  3. In the project Actions column, click the arrow, and click Edit Project.
  4. In the Edit Project window, you can update a project to change its name or description, and enable or temporarily disable the project.
  5. On the Project Members tab, add members to the project, or remove them as needed.
  6. Click Save.

7.3. Deleting a project
Copy link

As an OpenStack administrator, you can delete a project in Red Hat OpenStack Services on OpenShift (RHOSO) to clean up your environment. This removes the project and ensures that users can no longer access its resources. Any user pairing is disassociated to prevent unauthorized access to unused workloads.

Note

You cannot undo this delete action.

Procedure

  1. Log in to the Dashboard as a user with administrative privileges.
  2. Select Identity > Projects.
  3. Select the project that you want to delete.
  4. Click Delete Projects. The Confirm Delete Projects window is displayed.
  5. Click Delete Projects to confirm the action.

7.4. Updating project quotas
Copy link

Quotas are operational limits that you set for each Red Hat OpenStack Services on OpenShift (RHOSO) project to optimize cloud resources. As an OpenStack administrator, you can set quotas to prevent project resources from being exhausted without notification. You can enforce quotas at both the project and the project-user level.

Note

You must manage quotas individually against projects and sub-projects because nested quotas are not supported.

Procedure

  1. Log in to the Dashboard as a user with administrative privileges.
  2. Select Identity > Projects.
  3. In the project Actions column, click the arrow, and click Modify Quotas.
  4. In the Quota tab, modify project quotas as needed.
  5. Click Save.

7.5. Changing the active project
Copy link

As a member of more than one project, including this Red Hat OpenStack Services on OpenShift (RHOSO) project, you can set this project as the active project, so that you can use the dashboard to interact with objects in the project.

Note

You cannot set a disabled project as active, unless it is re-enabled.

Procedure

  1. Log in to the Dashboard as a user with administrative privileges.
  2. Select Identity > Projects.
  3. In the project Actions column, click the arrow, and click Set as Active Project.
  4. Alternatively, as a non-admin user, in the project Actions column, click Set as Active Project which becomes the default action in the column.

7.6. Project hierarchies
Copy link

You can nest projects using hierarchical multitenancy (HMT) in the Identity service (keystone). Hierarchical multitenancy allows sub-projects to inherit role assignments from a parent project.

Note

You must manage quotas individually against projects and sub-projects because nested quotas are not supported.

Create hierarchical projects in Red Hat OpenStack Services on OpenShift (RHOSO) to organize cloud resources. As an OpenStack administrator you can implement hierarchical multitenancy (HMT) by using Identity service (keystone) domains and RHOSO projects.

First create a new domain and then create a project within that domain. You can then add sub-projects to that project. You can also promote a user to administrator of a sub-project by adding the user to the admin role for that sub-project.

Note

The HMT structure used by the Identity service is not currently represented in the dashboard.

Procedure

  1. Create a new Identity service domain called corp: 

    $ openstack domain create corp

    For example: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| enabled     | True                             |
| id          | 6059b0b93b8d4ddb9d31ea47de93f0ab |
| name        | corp                             |
| options     | {}                               |
| tags        | []                               |
+-------------+----------------------------------+

  2. Create the parent project (private-cloud) within the corp domain: 

    $ openstack project create private-cloud --domain corp

    For example: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 6059b0b93b8d4ddb9d31ea47de93f0ab |
| enabled     | True                             |
| id          | e86f182e16e24441b71c7296585c2e21 |
| is_domain   | False                            |
| name        | private-cloud                    |
| options     | {}                               |
| parent_id   | 6059b0b93b8d4ddb9d31ea47de93f0ab |
| tags        | []                               |
+-------------+----------------------------------+

  3. Create a sub-project (dev) within the private-cloud parent project, while also specifying the corp domain: 

    $ openstack project create dev --parent private-cloud --domain corp

    For example: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 6059b0b93b8d4ddb9d31ea47de93f0ab |
| enabled     | True                             |
| id          | 71f05cdd5b8a45d4b1a928bfe7c2e20d |
| is_domain   | False                            |
| name        | dev                              |
| options     | {}                               |
| parent_id   | e86f182e16e24441b71c7296585c2e21 |
| tags        | []                               |
+-------------+----------------------------------+

  4. Create another sub-project called qa: 

    $ openstack project create qa --parent private-cloud --domain corp

    For example: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 6059b0b93b8d4ddb9d31ea47de93f0ab |
| enabled     | True                             |
| id          | 03801ad929b84c8fb091bf3248e6db68 |
| is_domain   | False                            |
| name        | qa                               |
| options     | {}                               |
| parent_id   | e86f182e16e24441b71c7296585c2e21 |
| tags        | []                               |
+-------------+----------------------------------+
    Note

    You can use the Identity API to view the project hierarchy. For more information, see https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=show-project-details-detail

7.6.2. Configuring access to hierarchical projects
Copy link

Configure access to hierarchical projects in Red Hat OpenStack Services on OpenShift (RHOSO) to streamline permission management. By organizing projects into a hierarchy, you can enable child projects to inherit permission settings from parents, ensuring consistent access controls across the environment.

By default, a newly-created project has no assigned roles. When you assign role permissions to the parent project, you can include the --inherited flag to instruct the sub-projects to inherit the assigned permissions from the parent project. For example, a user with admin role access to the parent project also has admin access to the sub-projects.

Procedure

  1. View the existing permissions assigned to a project: 

    $ openstack role assignment list --project private-cloud

  2. View the existing roles: 

    $ openstack role list

    For example: 

    +----------------------------------+-----------------+
| ID                               | Name            |
+----------------------------------+-----------------+
| 01d92614cd224a589bdf3b171afc5488 | admin           |
| 034e4620ed3d45969dfe8992af001514 | member          |
| 0aa377a807df4149b0a8c69b9560b106 | ResellerAdmin   |
| cfea5760d9c948e7b362abc1d06e557f | reader          |
| d5cb454559e44b47aaa8821df4e11af1 | swiftoperator   |
| ef3d3f510a474d6c860b4098ad658a29 | service         |
+----------------------------------+-----------------+

  3. Grant the user account user1 access to the private-cloud project: 

    $ openstack role add --user user1 --user-domain corp --project private-cloud member

    Re-run this command using the --inherited flag. As a result, user1 also has access to the private-cloud sub-projects, which have inherited the role assignment: 

    $ openstack role add --user user1 --user-domain corp --project private-cloud member --inherited

  4. Review the result of the permissions update: 

    $ openstack role assignment list --effective --user user1 --user-domain corp

    For example: 

    +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| 034e4620ed3d45969dfe8992af001514 | 10b5b34df21d485ca044433818d134be |       | c50d5cf4fe2e4929b98af5abdec3fd64 |        | False     |
| 034e4620ed3d45969dfe8992af001514 | 10b5b34df21d485ca044433818d134be |       | 11fccd8369824baa9fc87cf01023fd87 |        | True      |
| 034e4620ed3d45969dfe8992af001514 | 10b5b34df21d485ca044433818d134be |       | b4f1d6f59ddf413fa040f062a0234871 |        | True      |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

    The user1 user has inherited access to the qa and dev projects. In addition, because the --inherited flag was applied to the parent project, user1 also receives access to any sub-projects that are created later.

7.6.3. Removing access from users
Copy link

Remove access from users in Red Hat OpenStack Services on OpenShift (RHOSO) projects to enforce least privilege. Revoking role assignments ensures that unauthorized users cannot view project data or consume system resources.

Note

Explicit and inherited permissions must be separately removed.

Procedure

  1. Remove a user from an explicitly assigned role: 

    $ openstack role remove --user user1 --project private-cloud member

  2. Review the result of the change. Notice that the inherited permissions are still present: 

    $ openstack role assignment list --effective --user user1 --user-domain corp

    For example: 

    +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| 034e4620ed3d45969dfe8992af001514 | 10b5b34df21d485ca044433818d134be |       | 11fccd8369824baa9fc87cf01023fd87 |        | True      |
| 034e4620ed3d45969dfe8992af001514 | 10b5b34df21d485ca044433818d134be |       | b4f1d6f59ddf413fa040f062a0234871 |        | True      |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

  3. Remove the inherited permissions: 

    $ openstack role remove --user user1 --project private-cloud member --inherited

  4. Review the result of the change. The inherited permissions have been removed, and the resulting output is now empty: 

    $ openstack role assignment list --effective --user user1 --user-domain corp

7.6.4. Reseller project overview
Copy link

With the Reseller Red Hat OpenStack Services on OpenShift (RHOSO) project, the goal is to have a hierarchy of domains; these domains will eventually allow you to consider reselling portions of the cloud, with a subdomain representing a fully-enabled cloud. This work has been split into phases, with phase 1 described below:

Reseller (phase 1) is an extension of hierarchical multitenancy (HMT), described here: Creating hierarchical projects and sub-projects. Previously, Identity service (keystone) domains were originally intended to be containers that stored users and projects, with their own table in the database back-end. As a result, domains are now no longer stored in their own table, and have been merged into the project table:

  • A domain is now a type of project, distinguished by the is_domain flag.
  • A domain represents a top-level project in the project hierarchy: domains are roots in the project hierarchy

  • APIs have been updated to create and retrieve domains using the projects subpath:

    • Create a new domain by creating a project with the is_domain flag set to true
    • List projects that are domains: get projects including the is_domain query parameter.

7.7. Project security management
Copy link

Understand project security management in Red Hat OpenStack Services on OpenShift (RHOSO) to isolate tenant workloads. Security groups are sets of IP filter rules that can be assigned to project instances, and which define networking access to the instance. Security groups are project specific; project members can edit the default rules for their security group and add new rule sets.

All projects have a default security group that is applied to any instance that has no other defined security group. Unless you change the default values, this security group denies all incoming traffic and allows only outgoing traffic from your instance.

You can apply a security group directly to an instance during instance creation, or to a port on the running instance.

Note

You cannot apply a role-based access control (RBAC)-shared security group directly to an instance during instance creation. To apply an RBAC-shared security group to an instance you must first create the port, apply the shared security group to that port, and then assign that port to the instance. See Adding a security group to a port in Creating and managing instances.

Do not delete the default security group without creating groups that allow required egress. For example, if your instances use DHCP and metadata, your instance requires security group rules that allow egress to the DHCP server and metadata agent.

7.7.1. Creating a security group
Copy link

Create a security group in Red Hat OpenStack Services on OpenShift (RHOSO) to filter network traffic. This virtual firewall defines access rules for your instances, ensuring only authorized connections reach your workloads. For example, you can enable ICMP traffic, or disable HTTP requests.

Procedure

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Create Security Group.
  3. Enter a name and description for the group, and click Create Security Group.

7.7.2. Adding a security group rule
Copy link

Add a rule to a security group in Red Hat OpenStack Services on OpenShift (RHOSO) to permit specific network traffic. This configuration opens necessary ports and protocols, ensuring that your instances can communicate securely with authorized external resources.

By default, rules for a new group only provide outgoing access. You must add new rules to provide additional access.

Procedure

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Manage Rules for the security group that you want to edit.
  3. Click Add Rule to add a new rule.

  4. Specify the rule values, and click Add.

    The following rule fields are required:

    Rule

    Rule type. If you specify a rule template (for example, SSH), its fields are automatically filled in:

    • TCP: Typically used to exchange data between systems, and for end-user communication.
    • UDP: Typically used to exchange data between systems, particularly at the application level.
    • ICMP: Typically used by network devices, such as routers, to send error or monitoring messages.
    Direction
    Ingress (inbound) or Egress (outbound).
    Open Port

    For TCP or UDP rules, the Port or Port Range (single port or range of ports) to open:

    • For a range of ports, enter port values in the From Port and To Port fields.
    • For a single port, enter the port value in the Port field.
    Type
    The type for ICMP rules; must be in the range -1:255.
    Code
    The code for ICMP rules; must be in the range -1:255.
    Remote

    The traffic source for this rule:

    • CIDR (Classless Inter-Domain Routing): IP address block, which limits access to IPs within the block. Enter the CIDR in the Source field.
    • Security Group: Source group that enables any instance in the group to access any other group instance.

7.7.3. Deleting a security group rule
Copy link

Delete a security group rule in Red Hat OpenStack Services on OpenShift (RHOSO) to revoke specific network access. Removing unused rules closes open ports, which reduces security risks by blocking unwanted traffic to your instances.

Note

You cannot undo the delete action.

Procedure

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Manage Rules for the security group.
  3. Select the security group rule, and click Delete Rule.
  4. Click Delete Rule again.

7.7.4. Deleting a security group
Copy link

Delete a security group in Red Hat OpenStack Services on OpenShift (RHOSO) to retire unused firewall policies. Removing obsolete groups creates a cleaner view for users and prevents the accidental application of incorrect network access rules to workloads.

Note

You cannot undo the delete action.

Procedure

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, select the group, and click Delete Security Groups.
  3. Click Delete Security Groups.

Chapter 8. Managing project resource quotas
Copy link

As a cloud administrator, you can set and manage resource quotas for projects in Red Hat OpenStack Services on OpenShift (RHOSO) to prevent resource exhaustion. Defining limits for compute, networking, and storage resources ensures fair usage among tenants and protects overall system stability.

Each project is allocated resources, and project users are granted access to consume these resources. This enables multiple projects to use a single cloud without interfering with each other’s permissions and resources.

A set of resource quotas are pre-configured when a new project is created. The quotas include the amount of VCPUs, instances, RAM, and floating IPs that can be assigned to projects. You can use the OpenStack Dashboard to set or modify the Compute (nova) and Block Storage (cinder) quotas for new and existing projects. For more information, see Managing projects.

8.1. Viewing user quotas for a project
Copy link

View compute, networking, and storage resource quotas in Red Hat OpenStack Services on OpenShift (RHOSO) to monitor resource consumption. Verifying usage against defined limits helps you troubleshoot why users cannot create new resources and determine when to adjust specific allowances.

Procedure

  • List the currently set quota values: 

    $ openstack quota show [PROJECT-ID]

    For example: 

    $ openstack quota show f0ba064c24ca4176ac55a45635ca561f
+-----------------------+-------+
| Resource              | Limit |
+-----------------------+-------+
| cores                 |    20 |
| instances             |    10 |
| ram                   | 51200 |
| volumes               |    10 |
| snapshots             |    10 |
| gigabytes             |  1000 |
| backups               |    10 |
| volumes___DEFAULT__   |    -1 |
| gigabytes___DEFAULT__ |    -1 |
| snapshots___DEFAULT__ |    -1 |
| groups                |    10 |
| trunk                 |    -1 |
| networks              |   100 |
| ports                 |   500 |
| rbac_policies         |    10 |
| routers               |    10 |
| subnets               |   100 |
| subnet_pools          |    -1 |
| fixed-ips             |    -1 |
| injected-file-size    | 10240 |
| injected-path-size    |   255 |
| injected-files        |     5 |
| key-pairs             |   100 |
| properties            |   128 |
| server-groups         |    10 |
| server-group-members  |    10 |
| floating-ips          |    50 |
| secgroup-rules        |   100 |
| secgroups             |    10 |
| backup-gigabytes      |  1000 |
| per-volume-gigabytes  |    -1 |
+-----------------------+-------+

Chapter 9. Managing domains
Copy link

Manage domains in Red Hat OpenStack Services on OpenShift (RHOSO) to isolate tenant resources. Using domains creates separate boundaries for users and projects. Identity service (keystone) domains are additional namespaces that you can create.

Note

The Identity service includes a built-in domain called Default. It is suggested you reserve this domain only for service accounts, and create a separate domain for user accounts.

9.1. Viewing a list of domains
Copy link

View a list of domains in Red Hat OpenStack Services on OpenShift (RHOSO) to audit tenant isolation. Listing domains enables you to verify that the correct administrative boundaries exist for your users and projects.

Procedure

  • View a list of the domains: 

    $ openstack domain list

    For example: 

    +----------------------------------+------------------+---------+--------------------+
| ID                               | Name             | Enabled | Description        |
+----------------------------------+------------------+---------+--------------------+
| 3abefa6f32c14db9a9703bf5ce6863e1 | TestDomain       | True    |                    |
| 69436408fdcb44ab9e111691f8e9216d | corp             | True    |                    |
| a4f61a8feb8d4253b260054c6aa41adb | federated_domain | True    |                    |
| default                          | Default          | True    | The default domain |
+----------------------------------+------------------+---------+--------------------+

9.2. Creating a new domain
Copy link

Create a new domain in Red Hat OpenStack Services on OpenShift (RHOSO) to define a separate administrative boundary. This ensures that you can manage users and projects for different organizations in isolation from the default domain.

Procedure

  • Create a new domain: 

    $ openstack domain create TestDomain

    For example: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| enabled     | True                             |
| id          | 3abefa6f32c14db9a9703bf5ce6863e1 |
| name        | TestDomain                       |
+-------------+----------------------------------+

9.3. Viewing the details of a domain
Copy link

View domain details in Red Hat OpenStack Services on OpenShift (RHOSO) to audit specific attributes. Verifying settings like the domain ID ensures that the administrative boundary correctly isolates your tenant resources.

Procedure

  • View the details of a domain: 

    $ openstack domain show TestDomain

    For example: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| enabled     | True                             |
| id          | 3abefa6f32c14db9a9703bf5ce6863e1 |
| name        | TestDomain                       |
+-------------+----------------------------------+

9.4. Disabling a domain
Copy link

Disable a domain in Red Hat OpenStack Services on OpenShift (RHOSO) to suspend user access immediately. This action prevents authentication and API usage, allowing you to secure the environment during security audits or when decommissioning a tenant.

Note

You can disable and enable domains according to your requirements.

Procedure

  1. Disable a domain using the --disable option: 

    $ openstack domain set TestDomain --disable

  2. Confirm that the domain has been disabled: 

    $ openstack domain show TestDomain

    For example: 

    +-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| enabled     | False                            |
| id          | 3abefa6f32c14db9a9703bf5ce6863e1 |
| name        | TestDomain                       |
+-------------+----------------------------------+

  3. Use the --enable option to re-enable the domain, if required: 

    $ openstack domain set TestDomain --enable

Chapter 10. Application credentials
Copy link

Use Application Credentials to avoid the practice of embedding user account credentials in configuration files. Instead, the user creates an Application Credential that receives delegated access to a single project and has its own distinct secret. The user can also limit the delegated privileges to a single role in that project. This allows you to adopt the principle of least privilege, where the authenticated service gains access only to the one project and role that it needs to function, rather than all projects and roles.

With Application Credentials, you can consume an API without revealing your user credentials, and applications can authenticate to Keystone without requiring embedded user credentials.

You can use Application Credentials to generate tokens and configure keystone_authtoken settings for applications. These use cases are described in the following sections.

Note

The Application Credential is dependent on the user account that created it, so it will terminate if that account is ever deleted, or loses access to the relevant role.

Use Application Credentials to generate tokens in Red Hat OpenStack Services on OpenShift (RHOSO) to secure automated tasks. This allows applications to authenticate API requests without exposing your primary user password.

Application Credentials are available to users as a self-service function in the dashboard. This example demonstrates how a user can create an Application Credential and then use it to generate a token.

Procedure

  1. Create a test project, and test user accounts:

    1. Create a project called AppCreds: 

      $ openstack project create AppCreds

    2. Create a user called AppCredsUser: 

      $ openstack user create --project AppCreds --password-prompt AppCredsUser

    3. Grant AppCredsUser access to the member role for the AppCreds project: 

      $ openstack role add --user AppCredsUser --project AppCreds member

  2. Log in to the dashboard as AppCredsUser and create an Application Credential:

    OverviewIdentityApplication Credentials+Create Application Credential.

    Note

    Ensure that you download the clouds.yaml file contents, because you cannot access it again after you close the pop-up window titled Your Application Credential.

  3. Create a file named /home/stack/.config/openstack/clouds.yaml using the CLI and paste the contents of the clouds.yaml file. 

    # This is a clouds.yaml file, which can be used by OpenStack tools as a source
# of configuration on how to connect to a cloud. If this is your only cloud,
# just put this file in ~/.config/openstack/clouds.yaml and tools like
# python-openstackclient will just work with no further config. (You will need
# to add your password to the auth section)
# If you have more than one cloud account, add the cloud entry to the clouds
# section of your existing file and you can refer to them by name with
# OS_CLOUD=openstack or --os-cloud=openstack
clouds:
  openstack:
    auth:
      auth_url: http://10.0.0.10:5000/v3
      application_credential_id: "6d141f23732b498e99db8186136c611b"
      application_credential_secret: "<example secret value>"
    region_name: "regionOne"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"
    Note

    These values will be different for your deployment.

  4. Use the Application Credential to generate a token. You must not be sourced as any specific user when using the following command, and you must be in the same directory as your clouds.yaml file. 

    $ openstack --os-cloud=openstack token issue
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                                        |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-08-29T05:37:29+0000                                                                                                                                                                                     |
| id         | gAAAAABbhiMJ4TxxFlTMdsYJpfStsGotPrns0lnpvJq9ILtdi-NKqisWBeNiJlUXwmnoGQDh2CMyK9OeTsuEXnJNmFfKjxiHWmcQVYzAhMKo6_QMUtu_Qm6mtpzYYHBrUGboa_Ay0LBuFDtsjtgtvJ-r8G3TsJMowbKF-yo--O_XLhERU_QQVl3hl8zmMRdmLh_P9Cbhuolt |
| project_id | 1a74eabbf05c41baadd716179bb9e1da                                                                                                                                                                             |
| user_id    | ef679eeddfd14f8b86becfd7e1dc84f2                                                                                                                                                                             |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    Note

    If you receive an error similar to __init__() got an unexpected keyword argument 'application_credential_secret', then you might still be sourced to the previous credentials. For a fresh environment, run sudo su - stack.

Integrate Application Credentials with applications in Red Hat OpenStack Services on OpenShift (RHOSO) to secure automated access. This configuration enables applications to authenticate API requests without exposing your primary user password in configuration files.

Application Credentials can authenticate applications to the Identity service (keystone). When you use Application Credentials, the keystone_authtoken settings use v3applicationcredential as the authentication type and contain the credentials that you receive during the credential creation process. Enter the following values:

  • application_credential_secret: The Application Credential secret.
  • application_credential_id: The Application Credential id.
  • (Optional) application_credential_name: You might use this parameter if you use a named application credential, rather than an ID.

For example: 

[keystone_authtoken]
auth_url = http://10.0.0.10:5000/v3
auth_type = v3applicationcredential
application_credential_id = "6cb5fa6a13184e6fab65ba2108adf50c"
application_credential_secret = "<example password>"

10.3. Managing Application Credentials
Copy link

Manage Application Credentials in Red Hat OpenStack Services on OpenShift (RHOSO) from the command line to control access for your applications. This allows you to maintain separate login details for your software components. You can use openstack CLI to create and delete Application Credentials.

The create subcommand creates an Application Credential based on the currently sourced account. For example, creating the credential when sourced as an admin user will grant the same roles to the Application Credential: 

$ openstack application credential create --description "App Creds - All roles" AppCredsUser
+--------------+----------------------------------------------------------------------------------------+
| Field        | Value                                                                                  |
+--------------+----------------------------------------------------------------------------------------+
| description  | App Creds - All roles                                                                  |
| expires_at   | None                                                                                   |
| id           | fc17651c2c114fd6813f86fdbb430053                                                       |
| name         | AppCredsUser                                                                           |
| project_id   | 507663d0cfe244f8bc0694e6ed54d886                                                       |
| roles        | member reader admin                                                                    |
| secret       | fVnqa6I_XeRDDkmQnB5lx361W1jHtOtw3ci_mf_tOID-09MrPAzkU7mv-by8ykEhEa1QLPFJLNV4cS2Roo9lOg |
| unrestricted | False                                                                                  |
+--------------+----------------------------------------------------------------------------------------+
Warning

Using the --unrestricted parameter enables the Application Credential to create and delete other Application Credentials and trusts. This is potentially dangerous behavior and is disabled by default. You cannot use the --unrestricted parameter in combination with other access rules.

By default, the resulting role membership includes all the roles assigned to the account that created the Application Credentials. You can limit the role membership by delegating access only to a specific role: 

$ openstack application credential create --description "App Creds - Member" --role member AppCredsUser
+--------------+----------------------------------------------------------------------------------------+
| Field        | Value                                                                                  |
+--------------+----------------------------------------------------------------------------------------+
| description  | App Creds - Member                                                                     |
| expires_at   | None                                                                                   |
| id           | e21e7f4b578240f79814085a169c9a44                                                       |
| name         | AppCredsUser                                                                           |
| project_id   | 507663d0cfe244f8bc0694e6ed54d886                                                       |
| roles        | member                                                                                 |
| secret       | XCLVUTYIreFhpMqLVB5XXovs_z9JdoZWpdwrkaG1qi5GQcmBMUFG7cN2htzMlFe5T5mdPsnf5JMNbu0Ih-4aCg |
| unrestricted | False                                                                                  |
+--------------+----------------------------------------------------------------------------------------+

To delete an Application Credential: 

$ openstack application credential delete AppCredsUser

10.4. Replacing Application Credentials
Copy link

Replace Application Credentials in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce security rotation. Updating secrets regularly or after a potential leak ensures that only authorized applications can access system resources, minimizing the risk of a breach.

Application Credentials are bound to the user account that created them and become invalid if the user account is ever deleted, or if the user loses access to the delegated role. As a result, you should be prepared to generate a new Application Credential as needed.

You can replace existing Application Credentials for configuration files.

Update the Application Credentials assigned to an application (using a configuration file):

  1. Create a new set of Application Credentials.
  2. Add the new credentials to the application configuration file, replacing the existing credentials. For more information, see Integrating Application Credentials with applications.
  3. Restart the application service to apply the change.
  4. Delete the old Application Credential, if appropriate. For more information about the command line options, see Managing Application Credentials.

You can replacing the existing Application Credentials in clouds.yaml.

When you replace an Application Credential used by clouds.yaml, you must create the replacement credentials using OpenStack user credentials. By default, you cannot use Application Credentials to create another set of Application Credentials. The openstack application credential create command creates an Application Credential based on the currently sourced account.

Procedure

  1. Authenticate as the OpenStack user that originally created the Application Credentials that are about to expire. For example, if you used the procedure Using Application Credentials to generate tokens, you must log in again as AppCredsUser.

  2. Create an Application Credential called AppCred2. This can be done using the OpenStack Dashboard, or the openstack CLI interface: 

    openstack application credential create --description "App Creds 2 - Member" --role member AppCred2
  3. Copy the id and secret parameters from the output of the previous command. The secret parameter value cannot be accessed again.
  4. Replace the application_credential_id and application_credential_secret parameter values in the ${HOME}/.config/openstack/clouds.yaml file with the secret and id values that you copied.

Verification

  • Generate a token with clouds.yaml to confirm that the credentials are working as expected. You must not be sourced as any specific user when using the following command, and you must be in the same directory as your clouds.yaml file: 

    $ openstack --os-cloud=openstack token issue

    For example: 

    +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                                        |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-08-29T05:37:29+0000                                                                                                                                                                                     |
| id         | gAAAAABbhiMJ4TxxFlTMdsYJpfStsGotPrns0lnpvJq9ILtdi-NKqisWBeNiJlUXwmnoGQDh2CMyK9OeTsuEXnJNmFfKjxiHWmcQVYzAhMKo6_QMUtu_Qm6mtpzYYHBrUGboa_Ay0LBuFDtsjtgtvJ-r8G3TsJMowbKF-yo--O_XLhERU_QQVl3hl8zmMRdmLh_P9Cbhuolt |
| project_id | 1a74eabbf05c41baadd716179bb9e1da                                                                                                                                                                             |
| user_id    | ef679eeddfd14f8b86becfd7e1dc84f2                                                                                                                                                                             |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Manage secrets and encryption keys in Red Hat OpenStack Services on OpenShift (RHOSO) to centralize sensitive data management. Using the Key Manager service (barbican) enables you to securely store, provision and manage your secret data, ensuring that this critical information remains protected from unauthorized access.

You can use OpenStack Key Manager service to create, update, and delete secrets and encryption keys.

Understand the Red Hat OpenStack Services on OpenShift (RHOSO) Key Manager Operator (barbican). This Operator manages the Key Manager service in the system and is installed and active by default.

The OpenStack Key Manager service (barbican) is the secrets manager for Red Hat OpenStack Services on OpenShift (RHOSO). An OpenStack administrator can use the Key Manager API and command line to centrally manage the certificates, keys, and passwords used by OpenStack. The RHOSO Key Manager service integrates with the Block Storage (cinder), Networking (neutron), and Compute (nova) services.

Secrets such as certificates, API keys, and passwords, are stored in the Key Manager service database or directly in a secure storage system. In RHOSO 18.0 the simple crypto plug-in is available to encrypt secrets.

OpenStack Key Manager supports the following use cases:

  • Symmetric encryption keys

    • Block Storage (cinder) volume encryption
    • Object Storage (swift) encryption
    • Ephemeral disk encryption

  • Asymmetric keys and certificates

    • Image service (glance) image signing
    • Image service (glance) image verification

11.2. Viewing secrets
Copy link

View secrets in Red Hat OpenStack Services on OpenShift (RHOSO) to check stored information. This action allows you to review specific properties of the secrets to confirm they are configured correctly, such as their URI, name, type, and expiration.

Note

You cannot view the payload content of the secrets.

Procedure

  • View the list of secrets: 

    $ openstack secret list

    For example: 

    +------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| Secret href                                                                        | Name | Created                   | Status | Content types                             | Algorithm | Bit length | Secret type | Mode | Expiration |
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| https://192.168.123.169:9311/v1/secrets/24845e6d-64a5-4071-ba99-0fdd1046172e       | None | 2018-01-22T02:23:15+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes       |        256 | symmetric   | None | None       |
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+

11.3. Creating a secret
Copy link

Create a secret in Red Hat OpenStack Services on OpenShift (RHOSO) to store private information. This configuration saves your data in a secure location so that you can use it with your services.

You must specify the name of the secret and you can optionally specify its payload. Adding the payload attaches the actual content, like a certificate or key, to the secret metadata and ensures that services can retrieve and use the secured information.

Note

You cannot change the payload of a secret, you can only delete it. If you create a secret without specifying a payload, then you can later add a payload to it by using the openstack secret update command.

Procedure

  • Create a secret: 

    $ openstack secret store --name testSecret --payload 'TestPayload'

    For example: 

    +---------------+------------------------------------------------------------------------------------+
| Field         | Value                                                                              |
+---------------+------------------------------------------------------------------------------------+
| Secret href   | https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746       |
| Name          | testSecret                                                                         |
| Created       | None                                                                               |
| Status        | None                                                                               |
| Content types | None                                                                               |
| Algorithm     | aes                                                                                |
| Bit length    | 256                                                                                |
| Secret type   | opaque                                                                             |
| Mode          | cbc                                                                                |
| Expiration    | None                                                                               |
+---------------+------------------------------------------------------------------------------------+

11.4. Adding a payload to a secret
Copy link

Add a payload to a secret in Red Hat OpenStack Services on OpenShift (RHOSO) to populate it with data. This updates an existing secret definition with the specific information you want to store in the environment.

Note

You cannot change the payload of a secret, you can only delete it.

If you create a secret without specifying a payload, then you can add a payload to it by using the openstack secret update command.

Procedure

  • Add a payload to a secret that does not contain a payload yet: 

    $ openstack secret update https://192.168.123.163:9311/v1/secrets/ca34a264-fd09-44a1-8856-c6e7116c3b16 'TestPayload'

11.5. Deleting a secret
Copy link

Delete a secret in Red Hat OpenStack Services on OpenShift (RHOSO) to remove sensitive data that is no longer needed. Permanently removing obsolete or compromised secrets from the Key Manager service (barbican) prevents unauthorized access and ensures that services stop using invalid credentials.

Procedure

  • You must specify the secret URI when deleting a secret:

    Tip

    You can use this command openstack secret list to obtain the URI of the secret. 

    $ openstack secret delete https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746

11.6. Generating a symmetric key
Copy link

Generate a symmetric key in Red Hat OpenStack Services on OpenShift (RHOSO) to enable encryption for your services. Creating the key directly in the Key Manager service (barbican) ensures that the secret data is generated securely and stored immediately.

You can generate a symmetric key for specific tasks such as Compute service disk encryption and Object Storage service encryption.

Procedure

  1. Generate a new 256-bit key using order create and store it in the Key Manager service. 

    $ openstack secret order create --name swift_key --algorithm aes --mode ctr --bit-length 256 --payload-content-type=application/octet-stream key

    For example: 

    +----------------+-----------------------------------------------------------------------------------+
| Field          | Value                                                                             |
+----------------+-----------------------------------------------------------------------------------+
| Order href     | https://192.168.123.173:9311/v1/orders/043383fe-d504-42cf-a9b1-bc328d0b4832       |
| Type           | Key                                                                               |
| Container href | N/A                                                                               |
| Secret href    | None                                                                              |
| Created        | None                                                                              |
| Status         | None                                                                              |
| Error code     | None                                                                              |
| Error message  | None                                                                              |
+----------------+-----------------------------------------------------------------------------------+

    You can also use the --mode option to configure generated keys to use a particular mode, such as ctr or cbc. For more information, see NIST SP 800-38A.

  2. View the details of the order to identify the location of the generated key, shown here as the Secret href value:

    Example command: 

    $ openstack secret order get https://192.168.123.173:9311/v1/orders/043383fe-d504-42cf-a9b1-bc328d0b4832

    For example: 

    +----------------+------------------------------------------------------------------------------------+
| Field          | Value                                                                              |
+----------------+------------------------------------------------------------------------------------+
| Order href     | https://192.168.123.173:9311/v1/orders/043383fe-d504-42cf-a9b1-bc328d0b4832        |
| Type           | Key                                                                                |
| Container href | N/A                                                                                |
| Secret href    | https://192.168.123.173:9311/v1/secrets/efcfec49-b9a3-4425-a9b6-5ba69cb18719       |
| Created        | 2018-01-24T04:24:33+00:00                                                          |
| Status         | ACTIVE                                                                             |
| Error code     | None                                                                               |
| Error message  | None                                                                               |
+----------------+------------------------------------------------------------------------------------+

  3. Retrieve the details of the secret:

    Example command: 

    $ openstack secret get https://192.168.123.173:9311/v1/secrets/efcfec49-b9a3-4425-a9b6-5ba69cb18719

    For example: 

    +---------------+------------------------------------------------------------------------------------+
| Field         | Value                                                                              |
+---------------+------------------------------------------------------------------------------------+
| Secret href   | https://192.168.123.173:9311/v1/secrets/efcfec49-b9a3-4425-a9b6-5ba69cb18719       |
| Name          | swift_key                                                                          |
| Created       | 2018-01-24T04:24:33+00:00                                                          |
| Status        | ACTIVE                                                                             |
| Content types | {u'default': u'application/octet-stream'}                                          |
| Algorithm     | aes                                                                                |
| Bit length    | 256                                                                                |
| Secret type   | symmetric                                                                          |
| Mode          | ctr                                                                                |
| Expiration    | None                                                                               |
+---------------+------------------------------------------------------------------------------------+

11.7. Encrypting Block Storage (cinder) volumes
Copy link

Encrypt Block Storage (cinder) volumes in Red Hat OpenStack Services on OpenShift (RHOSO) to secure your storage resources. This configuration uses the Key Manager service (barbican) to secure volume contents, ensuring that information remains unreadable to unauthorized users even if the physical storage is compromised.

You can use the Key Manager service to manage your Block Storage service (cinder) encryption keys. This configuration uses LUKS to encrypt the disks attached to your instances, including boot disks.

Block Storage volume key management is transparent to the user; when you create a new volume using luks as the encryption type, the Block Storage service generates a symmetric key secret for the volume and stores it in the Key Manager service. When booting the instance or attaching an encrypted volume, the Compute service (nova) retrieves the key from the Key Manager service and stores the secret locally as a libvirt secret on the Compute node.

Procedure

  1. Create a Block Storage volume template that uses encryption. When you create new volumes, they can be modeled off the settings you define here: 

    $ openstack volume type create --encryption-provider nova.volume.encryptors.luks.LuksEncryptor --encryption-cipher aes-xts-plain64 --encryption-key-size 256 --encryption-control-location front-end LuksEncryptor-Template-256

    For example: 

    +-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field       | Value                                                                                                                                                                              |
+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| description | None                                                                                                                                                                               |
| encryption  | cipher='aes-xts-plain64', control_location='front-end', encryption_id='9df604d0-8584-4ce8-b450-e13e6316c4d3', key_size='256', provider='nova.volume.encryptors.luks.LuksEncryptor' |
| id          | 78898a82-8f4c-44b2-a460-40a5da9e4d59                                                                                                                                               |
| is_public   | True                                                                                                                                                                               |
| name        | LuksEncryptor-Template-256                                                                                                                                                         |
+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

  2. Create a new Block Storage volume and specify that it uses the LuksEncryptor-Template-256 settings: 

    $ openstack volume create --size 1 --type LuksEncryptor-Template-256 'Encrypted-Test-Volume'

    For example: 

    +---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| attachments         | []                                   |
| availability_zone   | nova                                 |
| bootable            | false                                |
| consistencygroup_id | None                                 |
| created_at          | 2018-01-22T00:19:06.000000           |
| description         | None                                 |
| encrypted           | True                                 |
| id                  | a361fd0b-882a-46cc-a669-c633630b5c93 |
| migration_status    | None                                 |
| multiattach         | False                                |
| name                | Encrypted-Test-Volume                |
| properties          |                                      |
| replication_status  | None                                 |
| size                | 1                                    |
| snapshot_id         | None                                 |
| source_volid        | None                                 |
| status              | creating                             |
| type                | LuksEncryptor-Template-256           |
| updated_at          | None                                 |
| user_id             | 0e73cb3111614365a144e7f8f1a972af     |
+---------------------+--------------------------------------+

    The resulting secret is automatically uploaded to the Key Manager service back end.

  3. Ensure that you can see the Key Manager service secret UUID. This value is displayed in the encryption_key_id field. 

    $ cinder --os-volume-api-version 3.64 volume show Encrypted-Test-Volume

    For example: 

    +------------------------------+-------------------------------------+
|Property                      |Value                                |
+------------------------------+-------------------------------------+
|attached_servers              |[]                                   |
|attachment_ids                |[]                                   |
|availability_zone             |nova                                 |
|bootable                      |false                                |
|cluster_name                  |None                                 |
|consistencygroup_id           |None                                 |
|created_at                    |2022-07-28T17:35:26.000000           |
|description                   |None                                 |
|encrypted                     |True                                 |
|encryption_key_id             |0944b8a8-de09-4413-b2ed-38f6c4591dd4 |
|group_id                      |None                                 |
|id                            |a0b51b97-0392-460a-abfa-093022a120f3 |
|metadata                      |                                     |
|migration_status              |None                                 |
|multiattach                   |False                                |
|name                          |vol                                  |
|os-vol-host-attr:host         |hostgroup@tripleo_iscsi#tripleo_iscsi|
|os-vol-mig-status-attr:migstat|None                                 |
|os-vol-mig-status-attr:name_id|None                                 |
|os-vol-tenant-attr:tenant_id  |a2071ece39b3440aa82395ff7707996f     |
|provider_id                   |None                                 |
|replication_status            |None                                 |
|service_uuid                  |471f0805-072e-4256-b447-c7dd10ceb807 |
|shared_targets                |False                                |
|size                          |1                                    |
|snapshot_id                   |None                                 |
|source_volid                  |None                                 |
|status                        |available                            |
|updated_at                    |2022-07-28T17:35:26.000000           |
|user_id                       |ba311b5c2b8e438c951d1137333669d4     |
|volume_type                   |LUKS                                 |
|volume_type_id                |cc188ace-f73d-4af5-bf5a-d70ccc5a401c |
+------------------------------+-------------------------------------+
    Note

    You must use the --os-volume-api-version 3.64 parameter with the Block Storage service cinder CLI to display the encryption_key_id value. There is no equivalent openstack CLI command.

  4. Use the Key Manager service to confirm that the disk encryption key is present. In this example, the timestamp matches the LUKS volume creation time: 

    $ openstack secret list

    For example: 

    +------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| Secret href                                                                        | Name | Created                   | Status | Content types                             | Algorithm | Bit length | Secret type | Mode | Expiration |
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| https://192.168.123.169:9311/v1/secrets/0944b8a8-de09-4413-b2ed-38f6c4591dd4 | None | 2018-01-22T02:23:15+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes       |        256 | symmetric   | None | None       |
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+

  5. Attach the new Block Storage volume to an existing instance: 

    $ openstack server add volume testInstance Encrypted-Test-Volume

    The Block Storage volume is now available for you to mount to the guest file system.

11.8. Signing Image service (glance) images
Copy link

Validate Image service (glance) images in Red Hat OpenStack Services on OpenShift (RHOSO) to ensure data integrity. Verifying signatures against trusted keys prevents the deployment of compromised images that have been modified by unauthorized users.

When you configure the Image service (glance) to validate images, you must sign those images before uploading them. Use the openssl command to sign an image with a key that is stored in the Key Manager service (barbican), and then upload the image to the Image service with the accompanying image properties. The signature of the image is verified before each use, and the instance build process fails if the signature does not match.

Limitations
  • Signature verification is based on openSSL _rsa_sig_verify(), which currently raises an InvalidSignature exception in the Image service if the key length is not 1024. This issue occurs because of a regression in OpenSSL 3.0.7. Signature verification works correctly with key length 2048 and OpenSSL 3.0.2.
  • OpenSSL does not support the SHA256 algorithm. You must use SHA512 or greater to create a signed image.

Procedure

  1. Use the openssl command to create the keys and the certificate:

    • Create the private key: 

      $ openssl genrsa -out private_key.pem 1024

    • Create the public key: 

      $ openssl rsa -pubout -in private_key.pem -out public_key.pem

    • Create the certificate: 

      $ openssl req -new -key private_key.pem -out cert_request.csr

    • When prompted, enter details to include in your certificate request: 

      $ openssl x509 -req -days 14 -in cert_request.csr -signkey private_key.pem -out new_cert.crt

  2. Upload the certificate to the Key Manager service, where it is stored in the secret store: 

    $ openstack secret store --name test --algorithm RSA --secret-type certificate \
  --payload-content-type "application/octet-stream" \
  --payload-content-encoding base64 \
  --payload "$(base64 new_cert.crt)"

    For example: 

    +---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://127.0.0.1:9311/v1/secrets/cd7cc675-e573-419c-8fff-33a72734a243 |
+---------------+-----------------------------------------------------------------------+
    Note

    Record the certificate’s UUID for use in a later step. In this example, the UUID is cd7cc675-e573-419c-8fff-33a72734a243.

  3. Retrieve an image and create a signature:

    • Retrieve an image: 

      $ echo <This is my image> > <myimage>

    • Use private_key.pem to sign the image and generate the .signature file. For example: 

      $ openssl dgst -sha512 -sign private_key.pem -sigopt rsa_padding_mode:pss -out myimage.signature myimage

    • Convert the .signature file to Base64 format: 

      $ base64 -w 0 myimage.signature > myimage.signature.b64

    • Load the Base64 value into a variable to use when you upload the image: 

      $ image_signature=$(cat myimage.signature.b64)

  4. Upload an image with valid signature properties to the Image service: 

    $ openstack image-create \
  --name <my_signed_image> \
  --container-format bare \
  --disk-format qcow2 \
  --property img_signature="$image_signature" \
  --property img_signature_certificate_uuid="$cert_uuid" \
  --property img_signature_hash_method='SHA-512' \
  --property img_signature_key_type='RSA-PSS' < myimage

11.9. Validating snapshots
Copy link

Validate snapshots in Red Hat OpenStack Services on OpenShift (RHOSO) to check for file issues. This process allows you to confirm that the backup files in your environment are correct before you use them.

Snapshots are saved as Image service (glance) images. If you configure the Compute service (nova) to check for signed images, then snapshots must by signed, even if they were created from an instance with a signed image.

Procedure

  1. Download the snapshot from the Image service: 

    $ openstack image save --file <local_file_name> <snapshot_image_name>
    • Replace <local_file_name> with the file name of the downloaded image.
    • Replace <snapshot_image_name> with the name of your snapshot.
  2. Generate a signature to validate the snapshot. Use the same process that you use to generate a signature to validate an image. For more information, see Signing Image service (glance) images.

  3. Update the snapshot image properties: 

    $ openstack image set \
  --property img_signature="$image_signature" \
  --property img_signature_certificate_uuid="<cd7cc675-e573-419c-8fff-33a72734a243>" \
  --property img_signature_hash_method="SHA-512" \
  --property img_signature_key_type="RSA-PSS" \
  <snapshot_image_id>
    • Replace <cd7cc675-e573-419c-8fff-33a72734a243> with the UUID of the certificate for the image.
    • Replace <snapshot_image_id> with the ID of your snapshot.

  4. Optional: Remove the downloaded Image service image from the filesystem: 

    $ rm <local_file_name>

11.10. Backing up simple crypto encryption keys
Copy link

Back up encryption keys in Red Hat OpenStack Services on OpenShift (RHOSO) to prepare for disaster recovery. Exporting secrets from the Key Manager service (barbican) ensures that you can restore access to encrypted volumes if the primary system fails.

To backup simple crypto encryption keys, you must back up the Key Manager database and the BarbicanSimpleCryptoKek key that encrypts and decrypts values from the database. Store the key and Key Manager database in a security-hardened location.

Prerequisites

  • You have a security-hardened location for the BarbicanSimpleCryptoKEK key and Key Manager database.

Procedure

  1. Retrieve the base64 decoded BarbicanSimpleCryptoKEK value from osp-secret and save it to a file called kek.txt: 

    $ oc get secret osp-secret -o yaml | grep BarbicanSimpleCryptoKEK | awk '{print $2}' | base64 -d > kek.txt

  2. Retrieve the Key Manager database root password: 

    $ DB_PASS=$(oc get secret osp-secret -o yaml | grep DbRootPassword | awk '{print $2}' | base64 -d)

  3. Use the Key Manager database root password to back up the barbican database: 

    $ oc exec -it openstack-galera-0 -- mysqldump -u root -p"${DB_PASS}" barbican > barbican_db_backup.sql

  4. Check that the database backup is stored in your current working directory: 

    $ ll
total 36
-rw-rw-r--. 1 tripleo-admin tripleo-admin 36715 Jun 19 18:31 barbican_db_backup.sql
  5. Back up the barbican_db_backup.sql and kek.txt files to the security hardened location.

11.11. Restoring simple crypto encryption keys
Copy link

Restore encryption keys in Red Hat OpenStack Services on OpenShift (RHOSO) to recover from a system failure. Importing backed-up secrets into the Key Manager service (barbican) enables you to regain access to encrypted volumes and ensure business continuity.

Restore the Key Manager database and the BarbicanSimpleCryptoKek password from a backup in order to restore simple crypto encryption keys.

Procedure

  1. Encode your BarbicanSimpleCryptoKek key using base64 and write the resulting value into osp-secret: 

    $ echo <barbican_key> | base64
YmFyYmljYW5fc2ltcGxlX2N5cHRvX2tlawo=

    Replace <barbican_key> with the BarbicanSimpleCryptoKek key that you want to restore.

  2. Open the osp-secret secret object for editing: 

    $ oc edit secret osp-secret

  3. Add the value from step 1 and save your changes: 

    ....
  BarbicanDatabasePassword: cGFzc3dvcmQK
  BarbicanPassword: cGFzc3dvcmQK
  BarbicanSimpleCryptoKEK: YmFyYmljYW5fc2ltcGxlX2N5cHRvX2tlawo=
  CeilometerPassword: cGFzc3dvcmQK
  CinderDatabasePassword: cGFzc3dvcmQK
  CinderPassword: cGFzc3dvcmQK
  DatabasePassword: cGFzc3dvcmQK
....

  4. Retrieve the Key Manager database root password: 

    DB_PASS=$(oc get secret osp-secret -o yaml | grep DbRootPassword | awk '{print $2}' | base64 -d)

  5. Restore the backup file to the Key Manager barbican database: 

    $ oc exec openstack-galera-0 --  mysql -u root -p"${DB_PASS}" barbican < <sql_backup>

    • Replace <sql_backup> with the name of your mysql database backup file.

      For example: 

      Defaulted container "galera" out of: galera, mysql-bootstrap (init)

Verification

  • You can use the openstackclient pod to verify that the test secrets were restored successfully: 

    $ oc exec -n openstack -t openstackclient -- openstack secret list
+------------------------------------------------------------------------+------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| Secret href                                                        	| Name   	| Created               	| Status | Content types                         	| Algorithm | Bit length | Secret type | Mode | Expiration |
+------------------------------------------------------------------------+------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| http://10.0.0.104:9311/v1/secrets/93f62cfd-e008-401f-be74-bf057c88b04a | testSecret | 2018-06-19T18:25:25+00:00 | ACTIVE | {u'default': u'text/plain'}           	| aes   	|    	256 | opaque  	| cbc  | None   	|
| http://10.0.0.104:9311/v1/secrets/f664b5cf-5221-47e5-9887-608972a5fefb | swift_key  | 2018-06-19T18:24:40+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes   	|    	256 | symmetric   | ctr  | None   	|
+------------------------------------------------------------------------+------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+

Secure storage services in Red Hat OpenStack Services on OpenShift (RHOSO) to protect your data. Configuring encryption and image validation prevents unauthorized access to stored data and allows you to check that your files are safe to use.

You can use the Key manager (barbican) service for the secure storage of encryption keys for the Red Hat OpenStack Services on OpenShift (RHOSO) storage services.

12.1. Encrypting Block Storage (cinder) volumes
Copy link

Encrypt Block Storage volumes in Red Hat OpenStack Services on OpenShift (RHOSO) to secure your storage resources. This action applies encryption settings to the volumes, ensuring that information remains unreadable to unauthorized users even if the physical storage is compromised.

You can use the Key manager (barbican) service to manage your Block Storage (cinder) encryption keys. This configuration uses LUKS to encrypt the disks attached to your instances, including boot disks.

Key management is transparent to the user. When you create a new Block Storage volume using encryption, the Block Storage service generates a symmetric key secret for the volume and stores it in the Key manager service. When booting the instance (or attaching an encrypted volume), the Compute service (nova) retrieves the key from the Key manager service and stores the secret locally as a libvirt secret.

Note

When creating a Block Storage volume using encryption, you must use the luks encryption provider, the aes-xts-plain64 encryption cipher, and use a key size of 256.

Procedure

  1. Create a Block Storage volume type that uses encryption: 

    $ openstack volume type create \
--encryption-provider  nova.volume.encryptors.luks.LuksEncryptor \
--encryption-cipher aes-xts-plain64 \
--encryption-key-size 256 \
--encryption-control-location front-end LuksEncryptor-256

    For example: 

    +-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field       | Value                                                                                                                                                                              |
+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| description | None                                                                                                                                                                               |
| encryption  | cipher='aes-xts-plain64', control_location='front-end', encryption_id='9df604d0-8584-4ce8-b450-e13e6316c4d3', key_size='256', provider='nova.volume.encryptors.luks.LuksEncryptor' |
| id          | 78898a82-8f4c-44b2-a460-40a5da9e4d59                                                                                                                                               |
| is_public   | True                                                                                                                                                                               |
| name        | LuksEncryptor-256                                                                                                                                                                  |
+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

  2. Create a new Block Storage volume and specify that it uses the LuksEncryptor-256 volume type: 

    $ openstack volume create --size 1 --type LuksEncryptor-256 'Encrypted-Test-Volume'

    For example: 

    +---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| attachments         | []                                   |
| availability_zone   | nova                                 |
| bootable            | false                                |
| consistencygroup_id | None                                 |
| created_at          | 2018-01-22T00:19:06.000000           |
| description         | None                                 |
| encrypted           | True                                 |
| id                  | a361fd0b-882a-46cc-a669-c633630b5c93 |
| migration_status    | None                                 |
| multiattach         | False                                |
| name                | Encrypted-Test-Volume                |
| properties          |                                      |
| replication_status  | None                                 |
| size                | 1                                    |
| snapshot_id         | None                                 |
| source_volid        | None                                 |
| status              | creating                             |
| type                | LuksEncryptor-256                    |
| updated_at          | None                                 |
| user_id             | 0e73cb3111614365a144e7f8f1a972af     |
+---------------------+--------------------------------------+

    The resulting secret is automatically uploaded to the Key Manager back end.

  3. Obtain the Key Manager secret UUID. This value is displayed in the encryption_key_id field: 

    $ openstack --os-volume-api-version 3.64 volume show Encrypted-Test-Volume

    For example: 

    +------------------------------+-------------------------------------+
|Property                      |Value                                |
+------------------------------+-------------------------------------+
|attached_servers              |[]                                   |
|attachment_ids                |[]                                   |
|availability_zone             |nova                                 |
|bootable                      |false                                |
|cluster_name                  |None                                 |
|consistencygroup_id           |None                                 |
|created_at                    |2022-07-28T17:35:26.000000           |
|description                   |None                                 |
|encrypted                     |True                                 |
|encryption_key_id             |0944b8a8-de09-4413-b2ed-38f6c4591dd4 |
|group_id                      |None                                 |
|id                            |a0b51b97-0392-460a-abfa-093022a120f3 |
|metadata                      |                                     |
|migration_status              |None                                 |
|multiattach                   |False                                |
|name                          |vol                                  |
|os-vol-host-attr:host         |hostgroup@tripleo_iscsi#tripleo_iscsi|
|os-vol-mig-status-attr:migstat|None                                 |
|os-vol-mig-status-attr:name_id|None                                 |
|os-vol-tenant-attr:tenant_id  |a2071ece39b3440aa82395ff7707996f     |
|provider_id                   |None                                 |
|replication_status            |None                                 |
|service_uuid                  |471f0805-072e-4256-b447-c7dd10ceb807 |
|shared_targets                |False                                |
|size                          |1                                    |
|snapshot_id                   |None                                 |
|source_volid                  |None                                 |
|status                        |available                            |
|updated_at                    |2022-07-28T17:35:26.000000           |
|user_id                       |ba311b5c2b8e438c951d1137333669d4     |
|volume_type                   |LUKS                                 |
|volume_type_id                |cc188ace-f73d-4af5-bf5a-d70ccc5a401c |
+------------------------------+-------------------------------------+

  4. Use the Key Manager service to confirm that the disk encryption key is present. In the following example, the Key Manager secret UUID matches the encryption_key_id in the previous example output and the timestamp matches the LUKS volume creation time: 

    $ openstack secret list

    For example: 

    +------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| Secret href                                                                        | Name | Created                   | Status | Content types                             | Algorithm | Bit length | Secret type | Mode | Expiration |
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
| https://192.168.123.169:9311/v1/secrets/0944b8a8-de09-4413-b2ed-38f6c4591dd4 | None | 2018-01-22T02:23:15+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes       |        256 | symmetric   | None | None       |
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+

  5. Attach the new Block Storage volume to an existing instance: 

    $ openstack server add volume testInstance Encrypted-Test-Volume

Block Storage validation in Red Hat OpenStack Services on OpenShift (RHOSO) protects your data. This process checks signatures to ensure that only safe, trusted images are used to create storage volumes.

The Block Storage service (cinder) automatically validates the signature of any downloaded, signed image during volume from image creation. The signature is validated before the image is written to the volume.

To improve performance, you can use the Block Storage image volume cache to store validated images for creating new volumes.

Note

Block Storage image signature validation is not supported with Red Hat Ceph Storage (RHCS) or RBD volumes.

Understand the automatic deletion of volume image encryption keys in Red Hat OpenStack Services on OpenShift (RHOSO) to manage your resources. This feature removes the encryption keys from the system when the corresponding volume images are deleted.

The Block Storage service (cinder) uses the Key Manager service (barbican) to manage encryption keys. The Block Storage service creates an encryption key when it uploads an encrypted volume to the Image service (glance).

The encryption key is managed by OpenStack services without requiring user intervention. By default, the Block Storage service deletes the encryption key to prevent the unlimited resource consumption of the Key Manager service.

The Block Storage service adds the following two properties to a volume image:

cinder_encryption_key_id
The identifier of the encryption key that the Key Manager service stores for a specific image.
cinder_encryption_key_deletion_policy
The policy that tells the Image service whether to delete the key associated with this image.
Important

The values of these properties are automatically assigned. To avoid unintentional data loss, do not adjust these values.

When you create a Block Storage volume image, the Block Storage service sets the cinder_encryption_key_deletion_policy property to on_image_deletion. When you delete a Block Storage volume image, the Image service deletes the corresponding encryption key if the cinder_encryption_key_deletion_policy equals on_image_deletion.

Important

Do not edit the cinder_encryption_key_id or cinder_encryption_key_deletion_policy properties. If you use the encryption key that is identified by the value of cinder_encryption_key_id for any other purpose, you risk data loss.

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top