Безопасность¶
OpenStack services support various security methods including password, policy, and encryption. Additionally, supporting services including the database server and message broker support password security.
To ease the installation process, this guide only covers password security where applicable. You can create secure passwords manually, but the database connection string in services configuration file cannot accept special characters like “@”. We recommend you generate them using a tool such as pwgen, or by running the following command:
$ openssl rand -hex 10
Для сервисов OpenStack данная инструкция использует SERVICE_PASS для ссылки на пароли аккаунтов и SERVICE_DBPASS для ссылки на пароли баз данных.
The following table provides a list of services that require passwords and their associated references in the guide.
| Имя пароля | Описание |
|---|---|
| Пароль базы данных(не используются переменные) | Пароль root для базы данных |
ADMIN_PASS |
Пароль пользователя admin |
CINDER_DBPASS |
Пароль базы данных сервиса блочных хранилищ |
CINDER_PASS |
Пароль пользователя cinder сервиса блочных хранилищ |
DASH_DBPASS |
Database password for the Dashboard |
DEMO_PASS |
Пароль пользователя demo |
GLANCE_DBPASS |
Пароль базы данных сервиса управления образами |
GLANCE_PASS |
Password of Image service user glance |
KEYSTONE_DBPASS |
Пароль базы данных сервиса Идентификации |
METADATA_SECRET |
Secret for the metadata proxy |
NEUTRON_DBPASS |
Пароль базы данных для сервиса управления сетью |
NEUTRON_PASS |
Пароль пользователя ``neutron `` сервиса управления сетью |
NOVA_DBPASS |
Пароль базы данных для сервиса Вычислительных ресурсов |
NOVA_PASS |
Пароль пользователя ``nova `` сервиса Вычислительных ресурсов |
PLACEMENT_PASS |
Password of the Placement service user placement |
RABBIT_PASS |
Пароль гостевого пользователя RabbitMQ |
OpenStack and supporting services require administrative privileges
during installation and operation. In some cases, services perform
modifications to the host that can interfere with deployment automation
tools such as Ansible, Chef, and Puppet. For example, some OpenStack
services add a root wrapper to sudo that can interfere with security
policies. See the OpenStack Administrator Guide
for more information.
The Networking service assumes default values for kernel network parameters and modifies firewall rules. To avoid most issues during your initial installation, we recommend using a stock deployment of a supported distribution on your hosts. However, if you choose to automate deployment of your hosts, review the configuration and policies applied to them before proceeding further.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.