ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-22 03:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(docs): add openstack cli first version (#9848)

Browse Source 
Co-authored-by: Andoni A. <14891798+andoniaf@users.noreply.github.com>
This commit is contained in:
Daniel Barranquero
2026-01-29 14:24:44 +01:00
committed by GitHub
parent 013f2e5d32
commit f65879346b
9 changed files with 829 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/docs.json
View File

@@ -267,6 +267,13 @@
"user-guide/providers/oci/getting-started-oci",
"user-guide/providers/oci/authentication"
]
},
{
"group": "OpenStack",
"pages": [
"user-guide/providers/openstack/getting-started-openstack",
"user-guide/providers/openstack/authentication"
]
}
]
},

536
docs/user-guide/providers/openstack/authentication.mdx Normal file
View File

@@ -0,0 +1,536 @@
---
title: 'OpenStack Authentication in Prowler'
---
<Warning>
Prowler currently supports **public cloud OpenStack providers** (OVH, Infomaniak, Vexxhost, etc.). Support for self-deployed OpenStack environments is not yet available and will be added in future releases.
</Warning>
This guide shows how to obtain OpenStack credentials and configure Prowler to scan your OpenStack infrastructure using the recommended `clouds.yaml` authentication method.
## Quick Start: Getting Your OpenStack Credentials
<Tabs>
<Tab title="OVH">
### Step 1: Create an OpenStack User with Reader Role
Before using Prowler, create a dedicated user in your OVH Public Cloud account:
1. Log into the [OVH Control Panel](https://www.ovh.com/manager/)
2. Navigate to "Public Cloud" → Select your project
3. Click "Users & Roles" in the left sidebar
![OVH Users & Roles](./images/users.png)
4. Click "Add User"
5. Enter a user description (e.g., `Prowler Audit User`)
6. Assign the "Infrastructure Supervisor" role (this is the reader role) or specific read-only operator roles (if needed to audit only specific services)
![OVH Select Roles](./images/roles.png)
7. Click "Generate" to create the user
8. Copy the password and store it securely
<Warning>
Avoid using administrator or member roles for security auditing. Reader or operator roles provide sufficient access for Prowler while maintaining security best practices.
</Warning>
### Step 2: Access the Horizon Dashboard
1. From the OVH Control Panel, go to "Public Cloud" → Your project
2. Click "Horizon" in the left sidebar (or access the Horizon URL provided by OVH)
![OVH Horizon](./images/horizon.png)
3. Log in with the user credentials created in Step 1. Ensure the correct user is selected; logging in with the root user will download root user credentials. If the wrong user is logged in, log out and log in again with the correct user.
### Step 3: Navigate to API Access
Once logged into Horizon:
1. In the left sidebar, click "Project"
2. Navigate to "API Access"
![OVH API Access](./images/api-access.png)
3. You'll see the API Access page with information about your OpenStack endpoints
### Step 4: Download the clouds.yaml File
The `clouds.yaml` file contains all necessary credentials in the correct format for Prowler:
1. On the API Access page, look for the "Download OpenStack RC File" dropdown button
2. Click the dropdown and select "OpenStack clouds.yaml File"
![OVH Download RC File](./images/download-yaml.png)
3. The file will be downloaded to your computer
<Note>
The clouds.yaml file contains your password in plain text. Ensure you store it securely with appropriate file permissions (see [Security Best Practices](#security-best-practices) below).
</Note>
### Step 5: Configure clouds.yaml for Prowler
Save the file to the default OpenStack configuration directory:
```bash
# Create the directory if it doesn't exist
mkdir -p ~/.config/openstack
# Move or copy the downloaded clouds.yaml file
mv ~/Downloads/clouds.yaml ~/.config/openstack/clouds.yaml
# Set secure file permissions
chmod 600 ~/.config/openstack/clouds.yaml
```
The downloaded file will look similar to this:
```yaml
clouds:
openstack:
auth:
auth_url: https://auth.cloud.ovh.net/v3
username: user-xxxxxxxxxx
password: your-password-here
project_id: your-project-id
project_name: your-project-name
user_domain_name: Default
project_domain_name: Default
region_name: GRA7
interface: public
identity_api_version: 3
```
You can customize the cloud name (e.g., change `openstack` to `ovh-production`):
```yaml
clouds:
ovh-production:
auth:
auth_url: https://auth.cloud.ovh.net/v3
username: user-xxxxxxxxxx
password: your-password-here
project_id: your-project-id
user_domain_name: Default
project_domain_name: Default
region_name: GRA7
identity_api_version: "3"
```
Alternatively, save the file to a custom location and specify the path when running Prowler:
```bash
# Save the clouds.yaml file to a custom location
mv ~/Downloads/clouds.yaml /path/to/my/clouds.yaml
# Set secure file permissions
chmod 600 /path/to/my/clouds.yaml
```
### Step 6: Run Prowler
Now you can scan your OVH OpenStack infrastructure:
**Using the default location:**
```bash
prowler openstack --clouds-yaml-cloud openstack
```
Or if you customized the cloud name:
```bash
prowler openstack --clouds-yaml-cloud ovh-production
```
**Using a custom location:**
```bash
prowler openstack --clouds-yaml-file /path/to/my/clouds.yaml --clouds-yaml-cloud openstack
```
Prowler will authenticate with your OVH OpenStack cloud and begin scanning.
</Tab>
<Tab title="Generic Public Cloud">
### Step 1: Create an OpenStack User with Reader Role
Before using Prowler, create a dedicated user in your OpenStack public cloud account. The exact steps vary by provider (Infomaniak, Vexxhost, Fuga Cloud, etc.), but the general process is:
1. Log into your provider's control panel or management interface
2. Navigate to your OpenStack project or account settings
3. Find the user management section (typically named "Users", "Users & Roles", or "Access Management")
4. Create a new user (e.g., `prowler-audit`)
5. Assign the **Reader** role or equivalent read-only role to the user:
- **Reader**: Standard read-only access to all resources
- **Viewer**: Alternative read-only role (in some deployments)
- Avoid **Member** or **Admin** roles for security auditing
6. Save the credentials (username and password) securely
<Warning>
Avoid using administrator or member roles for security auditing. Reader or Viewer roles provide sufficient access for Prowler while maintaining security best practices.
</Warning>
<Note>
Consult the provider's documentation for specific instructions on creating users and assigning roles. Consider contributing by opening an issue or pull request with instructions for additional providers.
</Note>
### Step 2: Access the Horizon Dashboard
Horizon is the standard OpenStack web interface available across all OpenStack providers:
1. Find the Horizon dashboard link in your provider's control panel
- Look for "OpenStack Dashboard", "Horizon", "Web Console", or similar
2. Access the Horizon URL (typically `https://your-provider-domain/horizon` or similar)
3. Log in with the user credentials created in Step 1
<Note>
The Horizon dashboard interface is standardized across OpenStack providers, though branding and colors may vary. The navigation and functionality remain consistent.
</Note>
### Step 3: Navigate to API Access
Once logged into Horizon:
1. In the left sidebar, click "Project"
2. Navigate to "API Access"
3. You'll see the API Access page with information about your OpenStack endpoints
### Step 4: Download the clouds.yaml File
The `clouds.yaml` file contains all necessary credentials in the correct format for Prowler:
1. On the API Access page, look for the "Download OpenStack RC File" dropdown button
2. Click the dropdown and select "OpenStack clouds.yaml File"
3. The file will be downloaded to your computer
<Note>
The clouds.yaml file contains your password in plain text. Ensure you store it securely with appropriate file permissions (see [Security Best Practices](#security-best-practices) below).
</Note>
### Step 5: Configure clouds.yaml for Prowler
Save the file to the default OpenStack configuration directory:
```bash
# Create the directory if it doesn't exist
mkdir -p ~/.config/openstack
# Move or copy the downloaded clouds.yaml file
mv ~/Downloads/clouds.yaml ~/.config/openstack/clouds.yaml
# Set secure file permissions
chmod 600 ~/.config/openstack/clouds.yaml
```
The downloaded file will look similar to this (values will vary by provider):
```yaml
clouds:
openstack:
auth:
auth_url: https://auth.example-cloud.com:5000/v3
username: user-xxxxxxxxxx
password: your-password-here
project_id: your-project-id
project_name: your-project-name
user_domain_name: Default
project_domain_name: Default
region_name: RegionOne
interface: public
identity_api_version: 3
```
You can customize the cloud name (e.g., change `openstack` to `infomaniak-production`):
```yaml
clouds:
infomaniak-production:
auth:
auth_url: https://api.pub1.infomaniak.cloud/identity/v3
username: user-xxxxxxxxxx
password: your-password-here
project_id: your-project-id
user_domain_name: Default
project_domain_name: Default
region_name: dc3-a
identity_api_version: "3"
```
Alternatively, save the file to a custom location and specify the path when running Prowler:
```bash
# Save the clouds.yaml file to a custom location
mv ~/Downloads/clouds.yaml /path/to/my/clouds.yaml
# Set secure file permissions
chmod 600 /path/to/my/clouds.yaml
```
### Step 6: Run Prowler
Now you can scan your OpenStack infrastructure:
**Using the default location:**
```bash
prowler openstack --clouds-yaml-cloud openstack
```
Or if you customized the cloud name:
```bash
prowler openstack --clouds-yaml-cloud infomaniak-production
```
**Using a custom location:**
```bash
prowler openstack --clouds-yaml-file /path/to/my/clouds.yaml --clouds-yaml-cloud openstack
```
Prowler will authenticate with your OpenStack cloud and begin scanning.
</Tab>
</Tabs>
## Managing Multiple OpenStack Environments
To scan multiple OpenStack projects or providers, add multiple cloud configurations to your `clouds.yaml`:
```yaml
clouds:
ovh-production:
auth:
auth_url: https://auth.cloud.ovh.net/v3
username: user-prod
password: prod-password
project_id: prod-project-id
user_domain_name: Default
project_domain_name: Default
region_name: GRA7
identity_api_version: "3"
ovh-staging:
auth:
auth_url: https://auth.cloud.ovh.net/v3
username: user-staging
password: staging-password
project_id: staging-project-id
user_domain_name: Default
project_domain_name: Default
region_name: SBG5
identity_api_version: "3"
infomaniak-production:
auth:
auth_url: https://api.pub1.infomaniak.cloud/identity/v3
username: infomaniak-user
password: infomaniak-password
project_id: infomaniak-project-id
user_domain_name: Default
project_domain_name: Default
region_name: dc3-a
identity_api_version: "3"
```
Then scan each environment separately:
```bash
prowler openstack --clouds-yaml-cloud ovh-production --output-directory ./reports/ovh-prod/
prowler openstack --clouds-yaml-cloud ovh-staging --output-directory ./reports/ovh-staging/
prowler openstack --clouds-yaml-cloud infomaniak-production --output-directory ./reports/infomaniak/
```
## Creating a User With Reader Role
For security auditing, Prowler only needs **read-only access** to your OpenStack resources.
### Understanding OpenStack Roles
OpenStack uses a role-based access control (RBAC) system. Common read-only roles include:
| Role | Access Level | Recommended for Prowler |
|------|--------------|------------------------|
| **Reader** | Read-only access to all resources | ✅ **Recommended** |
| **Viewer** | Read-only access (older deployments) | ✅ **Recommended** |
| **Compute/Network/ObjectStore Operator** | Service-specific read-only access | ✅ **Recommended** (OVH) |
| **Member** | Read and limited write access | ⚠️ Too permissive |
| **Admin** | Full administrative access | ❌ **Not recommended** |
<Warning>
Avoid using administrator or member roles for security auditing. Reader or Viewer roles provide sufficient access for Prowler while maintaining security best practices.
</Warning>
### How to Assign the Reader Role
The process for creating a user with the Reader role is covered in the [Quick Start](#quick-start-getting-your-openstack-credentials) section above. Select your provider's tab (OVH or Generic Public Cloud) for detailed instructions.
### Verifying Read-Only Access
After assigning read-only roles, verify the user cannot make changes:
1. Log into Horizon with the Prowler user credentials
2. Attempt to create or modify a resource (e.g., create an instance)
3. The action should be denied or the UI should show read-only mode
<Note>
Some OpenStack deployments may use custom role names. Consult your OpenStack administrator to identify the appropriate read-only role for your environment.
</Note>
## Alternative Authentication Methods
While `clouds.yaml` is the recommended method, Prowler also supports these alternatives:
### Environment Variables
Set OpenStack credentials as environment variables:
```bash
export OS_AUTH_URL="https://openstack.example.com:5000/v3"
export OS_USERNAME="prowler-audit"
export OS_PASSWORD="your-secure-password"
export OS_PROJECT_ID="your-project-id"
export OS_REGION_NAME="RegionOne"
export OS_IDENTITY_API_VERSION="3"
export OS_USER_DOMAIN_NAME="Default"
export OS_PROJECT_DOMAIN_NAME="Default"
```
Then run Prowler:
```bash
prowler openstack
```
### Command-Line Arguments (Flags)
Pass credentials directly via CLI flags:
```bash
prowler openstack \
--os-auth-url https://openstack.example.com:5000/v3 \
--os-username prowler-audit \
--os-password your-secure-password \
--os-project-id your-project-id \
--os-user-domain-name Default \
--os-project-domain-name Default \
--os-identity-api-version 3
```
<Warning>
Avoid passing passwords via command-line arguments in production environments. Commands may appear in shell history, process listings, or logs. Use `clouds.yaml` or environment variables instead.
</Warning>
## Authentication Priority
When multiple authentication methods are configured, Prowler uses this priority order:
1. **clouds.yaml** (if `--clouds-yaml-file` or `--clouds-yaml-cloud` is provided)
2. **Command-line arguments + Environment variables** (CLI arguments override environment variables)
## Security Best Practices
### File Permissions
Protect your `clouds.yaml` file from unauthorized access:
```bash
# Set read/write for owner only
chmod 600 ~/.config/openstack/clouds.yaml
# Verify permissions
ls -la ~/.config/openstack/clouds.yaml
# Should show: -rw------- (600)
```
### Credential Management
- **Use dedicated audit users**: Create separate OpenStack users specifically for Prowler audits
- **Use read-only roles**: Assign only Reader or Viewer roles to limit access
- **Rotate credentials regularly**: Change passwords and regenerate credentials periodically
- **Use Application Credentials**: For advanced setups, use OpenStack Application Credentials with scoped permissions and expiration dates
- **Avoid hardcoding passwords**: Never commit `clouds.yaml` files with passwords to version control
- **Use secrets managers**: For production environments, consider using tools like HashiCorp Vault or AWS Secrets Manager to store credentials
### Network Security
- **Use HTTPS**: Always connect to OpenStack endpoints via HTTPS
- **Verify SSL certificates**: Avoid using `--insecure` flag in production
- **Restrict network access**: Use firewall rules to limit access to OpenStack APIs
- **Use VPN or private networks**: When possible, run Prowler from within your private network
## Troubleshooting
### "Missing mandatory OpenStack environment variables" Error
This error occurs when required credentials are not configured:
```bash
# Check current environment variables
env | grep OS_
# Verify clouds.yaml exists and is readable
cat ~/.config/openstack/clouds.yaml
```
**Solution**: Ensure all required credentials are configured using one of the authentication methods above.
### "Failed to create OpenStack connection" Error
This error indicates authentication failure. Verify:
- ✅ Auth URL is correct and accessible: `curl -k https://auth-url/v3`
- ✅ Username and password are correct
- ✅ Project ID exists and you have access
- ✅ Network connectivity to the OpenStack endpoint
- ✅ SSL/TLS certificates are valid
**Solution**: Test authentication using the OpenStack CLI:
```bash
openstack --os-cloud openstack server list
```
If this fails, your credentials or network connectivity need attention.
### "Cloud 'name' not found in clouds.yaml" Error
This error occurs when the specified cloud name doesn't exist in `clouds.yaml`:
**Solution**:
- Verify the cloud name matches exactly (case-sensitive)
- Check your `clouds.yaml` file for the correct cloud name:
```bash
cat ~/.config/openstack/clouds.yaml
```
- Ensure proper YAML syntax (use a YAML validator if needed)
### Permission Denied Errors
If specific checks fail due to insufficient permissions:
1. Verify role assignments:
```bash
openstack role assignment list --user prowler-audit --project your-project
```
2. Ensure the user has Reader or Viewer roles
3. Check if specific services require additional permissions (consult your OpenStack administrator)
<Warning>
Using Public Cloud credentials can limit Keystone API access, so the command above may not work. Verify permissions in the provider's control panel instead.
</Warning>
## Next Steps
- [Getting Started with OpenStack](/user-guide/providers/openstack/getting-started-openstack) - Run your first scan
- [Mutelist](/user-guide/cli/tutorials/mutelist) - Suppress known findings and false positives
## Additional Resources
### Provider-Specific Documentation
- **OVH Public Cloud**: [OpenStack Documentation](https://help.ovhcloud.com/csm/en-gb-documentation-public-cloud-cross-functional?id=kb_browse_cat&kb_id=574a8325551974502d4c6e78b7421938&kb_category=32a89dbc81ef5a581e11e4879ea7a52b&spa=1)
### OpenStack References
- [OpenStack Documentation](https://docs.openstack.org/)
- [OpenStack Security Guide](https://docs.openstack.org/security-guide/)
- [clouds.yaml Format](https://docs.openstack.org/python-openstackclient/latest/configuration/index.html)

285
docs/user-guide/providers/openstack/getting-started-openstack.mdx Normal file
View File

@@ -0,0 +1,285 @@
---
title: 'Getting Started With OpenStack'
---
import { VersionBadge } from "/snippets/version-badge.mdx"
<VersionBadge version="5.18.0" />
Prowler for OpenStack allows you to audit your OpenStack cloud infrastructure for security misconfigurations, including compute instances, networking, identity and access management, storage, and more.
<Warning>
Prowler currently supports **public cloud OpenStack providers** (OVH, Infomaniak, Vexxhost, etc.). Support for self-deployed OpenStack environments is not yet available, if you are interested in this feature, please [open an issue](https://github.com/prowler-cloud/prowler/issues/new) or [contact us](https://prowler.com/contact).
</Warning>
## Prerequisites
Before running Prowler with the OpenStack provider, ensure you have:
1. An OpenStack public cloud account with at least one project
2. Access to the Horizon dashboard or provider control panel
3. An OpenStack user with the **Reader** role assigned to your project (see detailed instructions in the [Authentication guide](/user-guide/providers/openstack/authentication#creating-a-user-with-reader-role))
4. Access to Prowler CLI (see [Installation](/getting-started/installation/prowler-cli)) or an account created in [Prowler Cloud](https://cloud.prowler.com)
<CardGroup cols={2}>
<Card title="Prowler CLI" icon="terminal" href="#prowler-cli">
Run OpenStack security audits with Prowler CLI
</Card>
<Card title="Authentication Methods" icon="key" href="/user-guide/providers/openstack/authentication">
Learn about OpenStack authentication options
</Card>
</CardGroup>
## Prowler CLI
### Step 1: Set Up Authentication
Download the `clouds.yaml` file from your OpenStack provider (see [Authentication guide](/user-guide/providers/openstack/authentication) for detailed instructions) and save it to `~/.config/openstack/clouds.yaml`:
```bash
# Create the directory
mkdir -p ~/.config/openstack
# Move the downloaded file
mv ~/Downloads/clouds.yaml ~/.config/openstack/clouds.yaml
# Set secure permissions
chmod 600 ~/.config/openstack/clouds.yaml
```
Prowler supports multiple authentication methods:
**Option 1: Using clouds.yaml (Recommended)**
```bash
# Default location (~/.config/openstack/clouds.yaml)
prowler openstack --clouds-yaml-cloud openstack
# Custom location
prowler openstack --clouds-yaml-file /path/to/clouds.yaml --clouds-yaml-cloud openstack
```
**Option 2: Using Environment Variables**
```bash
export OS_AUTH_URL=https://auth.example.com:5000/v3
export OS_USERNAME=user-xxxxxxxxxx
export OS_PASSWORD=your-password
export OS_PROJECT_ID=your-project-id
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_IDENTITY_API_VERSION=3
prowler openstack
```
**Option 3: Using Flags (CLI Arguments)**
```bash
prowler openstack \
--os-auth-url https://auth.example.com:5000/v3 \
--os-username user-xxxxxxxxxx \
--os-password your-password \
--os-project-id your-project-id \
--os-user-domain-name Default \
--os-project-domain-name Default \
--os-identity-api-version 3
```
<Note>
For detailed step-by-step instructions with screenshots, see the [OpenStack Authentication guide](/user-guide/providers/openstack/authentication).
</Note>
### Step 2: Run Your First Scan
Run a baseline scan of your OpenStack cloud:
```bash
prowler openstack --clouds-yaml-cloud openstack
```
Replace `openstack` with your cloud name if you customized it in the `clouds.yaml` file (e.g., `ovh-production`).
Prowler will automatically discover and audit all supported OpenStack services in your project.
**Scan a specific OpenStack service:**
```bash
# Audit only compute (Nova) resources
prowler openstack --services compute
# Audit only networking (Neutron) resources
prowler openstack --services network
# Audit only identity (Keystone) resources
prowler openstack --services identity
```
**Run specific security checks:**
```bash
# Execute specific checks by name
prowler openstack --checks compute_instance_public_ip_associated
# List all available checks
prowler openstack --list-checks
```
**Filter by check severity:**
```bash
# Run only high or critical severity checks
prowler openstack --severity critical high
```
**Generate specific output formats:**
```bash
# JSON only
prowler openstack --output-modes json
# CSV and HTML
prowler openstack --output-modes csv html
# All formats
prowler openstack --output-modes csv json html json-asff
# Custom output directory
prowler openstack --output-directory /path/to/reports/
```
**Scan multiple OpenStack clouds:**
Configure `clouds.yaml` with multiple cloud configurations:
```yaml
clouds:
production:
auth:
auth_url: https://prod.example.com:5000/v3
username: prod-user
password: prod-password
project_id: prod-project-id
region_name: RegionOne
identity_api_version: "3"
staging:
auth:
auth_url: https://staging.example.com:5000/v3
username: staging-user
password: staging-password
project_id: staging-project-id
region_name: RegionOne
identity_api_version: "3"
```
Run audits against each environment:
```bash
prowler openstack --clouds-yaml-cloud production --output-directory ./reports/production/
prowler openstack --clouds-yaml-cloud staging --output-directory ./reports/staging/
```
**Use mutelist to suppress findings:**
Create a mutelist file to suppress known findings:
```yaml
# mutelist.yaml
Mutelist:
Accounts:
"*":
Checks:
compute_instance_public_ip_associated:
Resources:
- "instance-id-1"
- "instance-id-2"
Reason: "Public IPs required for web servers"
```
Run with mutelist:
```bash
prowler openstack --mutelist-file mutelist.yaml
```
### Step 3: Review the Results
Prowler outputs findings to the console and generates reports in multiple formats.
By default, Prowler generates reports in the `output/` directory:
- CSV format: `output/prowler-output-{timestamp}.csv`
- JSON format: `output/prowler-output-{timestamp}.json`
- HTML dashboard: `output/prowler-output-{timestamp}.html`
## Supported OpenStack Services
Prowler currently supports security checks for the following OpenStack services:
| Common Name | OpenStack Service | Description | Example Checks |
|-------------|-------------------|-------------|----------------|
| **Compute** | Nova | Virtual machine instances | Public IP associations, security group usage |
| **Networking** | Neutron | Virtual networks and security | Security group rules, network isolation |
| **Identity** | Keystone | Authentication and authorization | Password policies, MFA configuration |
| **Image** | Glance | Virtual machine images | Image visibility, image encryption |
| **Block Storage** | Cinder | Persistent block storage | Volume encryption, backup policies |
| **Object Storage** | Swift | Object storage service | Container ACLs, public access |
<Note>
Support for additional OpenStack services will be added in future releases. Check the [release notes](https://github.com/prowler-cloud/prowler/releases) for updates.
</Note>
## Troubleshooting
### Authentication Errors
If encountering authentication errors:
1. Verify credentials are correct:
```bash
# Test OpenStack CLI with the same credentials
openstack --os-cloud openstack server list
```
2. Check network connectivity to the authentication endpoint:
```bash
curl https://openstack.example.com:5000/v3
```
3. Verify the Identity API version is v3:
```bash
echo $OS_IDENTITY_API_VERSION
# Should output: 3
```
For detailed troubleshooting, see the [Authentication guide](/user-guide/providers/openstack/authentication#troubleshooting).
### Permission Errors
If checks are failing due to insufficient permissions:
- Ensure your OpenStack user has the **Reader** role assigned to the project
- Check role assignments in your provider's control panel or Horizon dashboard
- Verify that your user has access to all required services (Compute, Networking, Identity, etc.)
- Contact your OpenStack provider support if you need additional permissions
### Keystone/Identity Service Limitations
<Warning>
Public cloud OpenStack providers (OVH, Infomaniak, Vexxhost, etc.) typically **do not expose** the Keystone/Identity service API to customers for security reasons. This means that Identity-related security checks may not be available or may return limited information.
This is expected behavior, not an error. This limitation explains why those checks are not currently available in Prowler.
</Warning>
If you see errors related to the Identity service:
- This is expected behavior for public cloud providers
- Identity-related checks will be added for self-deployed OpenStack environments in future releases
- Focus on other available services (Compute, Networking, Storage, etc.)
## OpenStack Additional Resources
- **Supported OpenStack versions**: Stein (2019.1) and later
- **Minimum Identity API version**: v3
- **Tested providers**: OVH Public Cloud, OpenStack-Ansible, DevStack
- **Cloud compatibility**: Fully compatible with standard OpenStack APIs

BIN
docs/user-guide/providers/openstack/images/api-access.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
docs/user-guide/providers/openstack/images/download-yaml.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

BIN
docs/user-guide/providers/openstack/images/horizon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
docs/user-guide/providers/openstack/images/roles.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
docs/user-guide/providers/openstack/images/users.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 177 KiB

1
prowler/CHANGELOG.md
View File

@@ -14,6 +14,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Cloudflare `--account-id` filter argument [(#9894)](https://github.com/prowler-cloud/prowler/pull/9894)
- `rds_instance_extended_support` check for AWS provider [(#9865)](https://github.com/prowler-cloud/prowler/pull/9865)
- `OpenStack` provider support with Compute service including 1 security check [(#9811)](https://github.com/prowler-cloud/prowler/pull/9811)
- `OpenStack` documentation for the support in the CLI [(#9848)](https://github.com/prowler-cloud/prowler/pull/9848)
### Changed