一、cloud foundry简介
可以从新浪微盘和优酷搜到一些文件和视频,或者stackoverflow
http://u.youku.com/CloudFoundryCN
http://stackoverflow.com/questions/tagged/cloudfoundry
二、cloud foundry的安全
1.一些讨论
http://stackoverflow.com/questions/12567735/cloud-foundry-infrastructure-level-security
Cloud Foundry itself isn't concerned with infrastructure-layer security, but there's nothing preventing you from locking down access with a firewall that sits in front of your CF deployment. For example, you could limit access to all of your CF IPs (layer 3), or limit access to specific apps via HTTP host header inspection (layer 7). These capabilities are dependent on the specific firewall software you're using.
FYI, there's a dedicated Google Group for discussion of topics related to the OSS Cloud Foundry project: vcap-dev
https://github.com/cloudfoundry/uaa/blob/master/README.md
这个是官方的关于foundry一个安全模块(UAA)的说明
The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.
http://blog.cloudfoundry.org/2012/10/09/oauth-rest/
UAA推荐使用OAUTH,关于oauth,参见OAuth
http://blog.cloudfoundry.org/2012/07/23/uaa-intro/
Design Goals of the UAA
- Web applications need to be able to authenticate users and access platform resources on their behalf without collecting user credentials. (Several examples of applications collecting user credentials have been brought to our attention but until the UAA was available, there was no way to offer an alternative.)
- The system needs to be able to grow, with more components being added by the platform and by users (for example providing management UIs for existing applications or for deploying new applications or services).
- It should provide Single Sign On (SSO) for all user-facing applications in the platform.
- It should support cross-platform and polyglot programming for users of the platform APIs.
- It should be easy to strategize the authentication mechanism for social (e.g., sign on with GitHub) and enterprise (e.g., corporate AD) scenarios.
https://github.com/cloudfoundry/uaa/tree/master/docs
2. 综合
软件升级的问题
cloudfoudry并没提到,如果预装的软件有漏洞,更新的策略是什么?
认证授权
如果系统软件本身没有漏洞,则安全问题都是一个认证授权的问题,而认证授权牵扯到框架和协议,框架如oauth,协议如ldap。
从https://github.com/cloudfoundry的目录结构来看,UAA是对cloudfoundry的安全或者认证方面的增强,不是自动包含在cloudfoundry的基本包里头的。
HA
没有在cloudfoundry原生态支持
cloudfoundry自身的网站cloudfoundry.com上面的做法是
backup
资源隔离
warden, a framework for managing isolated and resource controlled environments.
Warden的位置:Warden Container,Cloud Foundry中管理应用执行的最小单元是DEA,DEA会把应用部署运行在Warden Container,不同于虚拟机,Warden Container是一种应用级别的进程隔离技术,在保证安全性的情况下,它提供了更快的应用启动和横向扩展的速度。