Juju security model
John Meinel
john at arbash-meinel.com
Sat Aug 10 03:10:35 UTC 2013
On Aug 10, 2013 1:34 AM, "Mike Sam" <mikesam460 at gmail.com> wrote:
>
> Would you please explain juju security model?
>
> 1> How are machine and unit agents authenticate to the bootstrap node?
Machine agents are given the API server address and public cert and a
password via cloud-init.
They connect to the API server with TLS and require the matching
certificate. On first connect, the agents change their password to a
randomly generated string.
Unit agents are started by the machine agents. Since they use the same
code, they also change their password in first connect. (They don't really
need to as they got the original password on a secure connection. )
>
> 2> Who authenticate to who? "agent to agent" or "agent to db"?
All agents will connect to the API server(s). Who then have a direct DB
connection.
Today, there are some agents that are not API servers that have a direct DB
connection. Though we are actively reducing that.
>
> 3> what do they need to provide to get authenticated?
Agent id and unique password. They also require the cert for the API
server.
>
> 4> How many ssh keys do we have for all the machines of one environment?
At present I believe there is just one ssh key.
>
> 5> Any existing concern on the security model?
As mentioned we are removing direct DB access for agents that are not on
the API server.
>
> Thanks,
> Mike
>
> --
> Juju mailing list
> Juju at lists.ubuntu.com
> Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/juju
>
John
=:->
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20130810/0fe38061/attachment.html>
More information about the Juju
mailing list