openstack/openstack-manuals
Code Issues Proposed changes
eb6a27bdc4
openstack-manuals/doc/security-guide/ch037_risks.xml
Shilla Saebi c46acabfe6 small cleanup security_guide ch037_risks 
typo queueuing to Queuing
minor grammar edit, added comma
Made changes to sentence formats
removed extra paragraph for 1 sentence, added 0MQ, removed space afer </para>

Change-Id: Idb7b7cce09e2a38c2e2838c06e023a4ebf4b4839
2014-01-30 11:27:15 -06:00

46 lines
2.0 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns="http://docbook.org/ns/docbook"
xmlns:db="http://docbook.org/ns/docbook" version="5.0"
xml:id="ch037_risks">
<?dbhtml stop-chunking?>
<title>Message Queuing Architecture</title>
<para>Message queuing services facilitate inter-process
communication in OpenStack. OpenStack supports these message
queuing service back ends:</para>
<itemizedlist>
<listitem>
<para>RabbitMQ</para>
</listitem>
<listitem>
<para>Qpid</para>
</listitem>
<listitem>
<para>ZeroMQ or 0MQ</para>
</listitem>
</itemizedlist>
<para>Both RabbitMQ and Qpid are Advanced Message Queuing Protocol
(AMQP) frameworks, which provide message queues for peer-to-peer
communication. Queue implementations are typically deployed as a
centralized or decentralized pool of queue servers. ZeroMQ
provides direct peer-to-peer communication through TCP
sockets.</para>
<para>Message queues effectively facilitate command and control
functions across OpenStack deployments. Once access to the queue
is permitted no further authorization checks are performed.
Services accessible through the queue do validate the contexts and
tokens within the actual message payload. However, you must note
the expiration date of the token because tokens are potentially
re-playable and can authorize other services in the
infrastructure.</para>
<para>OpenStack does not support message-level confidence, such as
message signing. Consequently, you must secure and authenticate
the message transport itself. For high-availability (HA)
configurations, you must perform queue-to-queue authentication and
encryption.</para>
<para>With ZeroMQ messaging, IPC sockets are used on individual
machines. Because these sockets are vulnerable to attack, ensure
that the cloud operator has secured them.</para>
</chapter>
View Git Blame Copy Permalink