OpenStack Message Bus Security with Trove Database-as-a-Service
Trove is the OpenStack Database-as-a-Service project and allows users to provision and manage the lifecycle of a dozen different database technologies using a single common set of primitives, API and tools. The database instance(s) are run in virtual machines or on bare-metal instances provisioned through Nova and a guest instance includes the chosen database and a guest agent. The guest agent communicates with the control plane over a message bus (oslo_messaging).
A crucial security consideration when deploying Trove is how one properly configures the system to prevent compromised guest instances from becoming an attack vector to the OpenStack deployment as a whole.
This presentation describes specific architectural elements of the Trove project, including a new capability in the Ocata release that allows deployers to encrypt all message bus traffic, and illustrates how this feature makes a Trove system secure and safe to operate in a multi-tenant environment.
