If a hypervisor is compromised, the Nova Compute instance running on that node is also compromised. If the compute instance is compromised, then its access to the Message Queue has to be considered tainted as well. What degree of risk does this pose?

I mention the compute node, but really, any service that has access to the broker is a vector for attack. This includes any third party application that listens for, say, Keystone notifications for audit purposes.

At the bottom of this article I have posted an inventory from a recent Tripleo deployment. There are a lot of exchanges and queus, and reading through them is informative.

What we need is a table showing who can read from and who can write to each of these elements.

My first hack at an ACL approach:

• The default rule should be “read only”.
• If a service is responsible for creating an exchange or a queue, it should get write access.
• Beyond that, that service should grant explicit write granted to specific services for a given queue/exchange.

What is the start state?

$ sudo rabbitmqctl list_users
Listing users ...
guest	[administrator]
...done.
$ sudo rabbitmqctl list_permissions
Listing permissions in vhost "/" ...
guest	.*	.*	.*
...done.

So, by default, all the services connect as the same user, and have full permissions to read and write on everything.

I will state that only the Keystone server should be able to write to the keystone topic, and, by default, only Ceilometer should be reading from it.

$ sudo rabbitmqctl list_exchanges
Listing exchanges ...
	direct
amq.direct	direct
amq.fanout	fanout
amq.headers	headers
amq.match	headers
amq.rabbitmq.log	topic
amq.rabbitmq.trace	topic
amq.topic	topic
ceilometer	topic
central	topic
cert_fanout	fanout
cinder	topic
cinder-scheduler_fanout	fanout
cinder-volume_fanout	fanout
compute_fanout	fanout
conductor_fanout	fanout
consoleauth_fanout	fanout
dhcp_agent_fanout	fanout
engine_fanout	fanout
glance	topic
heat	topic
heat-engine-listener_fanout	fanout
ironic	topic
keystone	topic
l3_agent_fanout	fanout
magnetodb	topic
magnum	topic
neutron	topic
neutron-vo-QosPolicy-1.0_fanout	fanout
nova	topic
openstack	topic
q-agent-notifier-dvr-update_fanout	fanout
q-agent-notifier-network-update_fanout	fanout
q-agent-notifier-port-delete_fanout	fanout
q-agent-notifier-port-update_fanout	fanout
q-agent-notifier-security_group-update_fanout	fanout
q-agent-notifier-tunnel-delete_fanout	fanout
q-agent-notifier-tunnel-update_fanout	fanout
q-l3-plugin_fanout	fanout
q-plugin_fanout	fanout
q-reports-plugin_fanout	fanout
reply_1cbc785538484554850f69dda902c537	direct
reply_748d4640dbab4284bae19fe086af14e8	direct
reply_ab42e35c548d48b48c9ba0fc3ac93ec7	direct
reply_b37538409ae84436804ccd1b1c0a3bdd	direct
reply_c6bebd23c7e24a5c9a06730b42d317cf	direct
reply_f34034fd84e347e8b6aeedc49f97282d	direct
sahara	topic
sahara-ops_fanout	fanout
scheduler_fanout	fanout
swift	topic
trove	topic
zaqar	topic
...done.

Here are the Queues

$ sudo rabbitmqctl list_queues
Listing queues ...
cert	0
cert.overcloud-controller-0.localdomain	0
cert_fanout_c8d9d81c87d84e728cb498a0d434c825	0
cinder-scheduler	0
cinder-scheduler.hostgroup	0
cinder-scheduler_fanout_7969a98120ca4f2097af3ade0ba159ef	0
cinder-volume	0
cinder-volume.hostgroup@tripleo_iscsi	0
cinder-volume_fanout_1520069c024c4c6490fdbb6f336819cc	0
compute	0
compute.overcloud-novacompute-0.localdomain	0
compute_fanout_7dc21bc0422b4d4c9addb151e9e2d8ba	0
conductor	0
conductor.overcloud-controller-0.localdomain	0
conductor_fanout_9f3ff7a1e8b146fc9b5dccb1aa80f119	0
consoleauth	0
consoleauth.overcloud-controller-0.localdomain	0
consoleauth_fanout_4b36518037784e7aad7ce7049b89d089	0
dhcp_agent	0
dhcp_agent.overcloud-controller-0.localdomain	0
dhcp_agent_fanout_8776747599464cc3b80a56b731841fd7	0
engine	0
engine.overcloud-controller-0.localdomain	0
engine_fanout_1030eeeec4644022b5a9f7259f7e0018	0
engine_fanout_2ffb137908934072af6a15d3a6b9e616	0
engine_fanout_bac7897eb7ac43f0a561a0c12c408e26	0
engine_fanout_f439912a1d80484ea38ab784a95fb656	0
heat-engine-listener	0
heat-engine-listener.31d42df9-f64f-451d-b9d6-7ef46229c929	0
heat-engine-listener.8730caa4-4104-4d71-bcc1-08ae17a41420	0
heat-engine-listener.b1dd3b6e-d085-4005-a4c9-a29b6f91c3f6	0
heat-engine-listener.ea60f788-af0c-49be-9325-8cefe60cc53a	0
heat-engine-listener_fanout_3b2879946f754cd9bd4becc6b8448071	0
heat-engine-listener_fanout_725990e3081f4ddc839a1bbf78520873	0
heat-engine-listener_fanout_aa1ec5483825470797e11b73cddaf223	0
heat-engine-listener_fanout_cb251c73b0f64d64ac3e38b529e1de30	0
l3_agent	0
l3_agent.overcloud-controller-0.localdomain	0
l3_agent_fanout_83ec229461dd4bd68d4e0debc7f9a39d	0
metering.sample	0
neutron-vo-QosPolicy-1.0	0
neutron-vo-QosPolicy-1.0.overcloud-controller-0.localdomain	0
neutron-vo-QosPolicy-1.0.overcloud-novacompute-0.localdomain	0
neutron-vo-QosPolicy-1.0_fanout_5f54eaed13cb47da8d80b82223f87e47	0
neutron-vo-QosPolicy-1.0_fanout_f57c66031cb4437ea75a23ec1698b287	0
notifications.info	0
notifications.sample	0
q-agent-notifier-dvr-update	0
q-agent-notifier-dvr-update.overcloud-controller-0.localdomain	0
q-agent-notifier-dvr-update.overcloud-novacompute-0.localdomain	0
q-agent-notifier-dvr-update_fanout_33c92818f86644899082458f893c6157	0
q-agent-notifier-dvr-update_fanout_82d2beb050dc4dde956a86cc6e2e5562	0
q-agent-notifier-network-update	0
q-agent-notifier-network-update.overcloud-controller-0.localdomain	0
q-agent-notifier-network-update.overcloud-novacompute-0.localdomain	0
q-agent-notifier-network-update_fanout_0ef20a72234a45718ece2328d230e2c6	0
q-agent-notifier-network-update_fanout_737fb57587f3453cb14d41b01c5fcdcc	0
q-agent-notifier-port-delete	0
q-agent-notifier-port-delete.overcloud-controller-0.localdomain	0
q-agent-notifier-port-delete.overcloud-novacompute-0.localdomain	0
q-agent-notifier-port-delete_fanout_03a026eb000c4efd89e15dc7834b8fdd	0
q-agent-notifier-port-delete_fanout_acd74597e74041abace267f898a2ce31	0
q-agent-notifier-port-update	0
q-agent-notifier-port-update.overcloud-controller-0.localdomain	0
q-agent-notifier-port-update.overcloud-novacompute-0.localdomain	0
q-agent-notifier-port-update_fanout_28a72273f7234c3b9c4cb4d4f64854c1	0
q-agent-notifier-port-update_fanout_b8ccb7d92aa64bfb9106ecd10c59cfea	0
q-agent-notifier-security_group-update	0
q-agent-notifier-security_group-update.overcloud-controller-0.localdomain	0
q-agent-notifier-security_group-update.overcloud-novacompute-0.localdomain	0
q-agent-notifier-security_group-update_fanout_008a11d67bc54f12bce4a03387a64000	0
q-agent-notifier-security_group-update_fanout_a9f578980b6f4c1ca65629e887bff76e	0
q-agent-notifier-tunnel-delete	0
q-agent-notifier-tunnel-delete.overcloud-controller-0.localdomain	0
q-agent-notifier-tunnel-delete.overcloud-novacompute-0.localdomain	0
q-agent-notifier-tunnel-delete_fanout_1769bab276d44b34a6db34498db522c8	0
q-agent-notifier-tunnel-delete_fanout_cb6f4fd56c8f40b9b2f3b0a6484b70ad	0
q-agent-notifier-tunnel-update	0
q-agent-notifier-tunnel-update.overcloud-controller-0.localdomain	0
q-agent-notifier-tunnel-update.overcloud-novacompute-0.localdomain	0
q-agent-notifier-tunnel-update_fanout_47164fceef534b298b8ea4ee34f9282b	0
q-agent-notifier-tunnel-update_fanout_be1a1e9cc37c4f94921131c3346eed48	0
q-l3-plugin	0
q-l3-plugin.overcloud-controller-0.localdomain	0
q-l3-plugin_fanout_bf639b0aebe6466dba97fb88151ee8b7	0
q-l3-plugin_fanout_eeac107aa8374f87afbddbf6aafcd65c	0
q-plugin	0
q-plugin.overcloud-controller-0.localdomain	0
q-plugin_fanout_38617a666c6c46fd91c6eada520f0303	0
q-reports-plugin	0
q-reports-plugin.overcloud-controller-0.localdomain	0
q-reports-plugin_fanout_4feee95d061f40b2906c22268c79a626	0
q-reports-plugin_fanout_c6123bf05ab24ddaa12adca88b920215	0
reply_1cbc785538484554850f69dda902c537	0
reply_748d4640dbab4284bae19fe086af14e8	0
reply_ab42e35c548d48b48c9ba0fc3ac93ec7	0
reply_b37538409ae84436804ccd1b1c0a3bdd	0
reply_c6bebd23c7e24a5c9a06730b42d317cf	0
reply_f34034fd84e347e8b6aeedc49f97282d	0
sahara-ops	0
sahara-ops.2baf790d-3cfe-42b7-b8bf-49611ecc9639	0
sahara-ops_fanout_91b35b7138284165b4f274f5221d6d89	0
scheduler	0
scheduler.overcloud-controller-0.localdomain	0
scheduler_fanout_0888632b036840849e04edc68d4df200	0
...done.