OpenStack Compute (nova)

[nova-volume][tgtd] Implement authentication to targets

Bug #1025667 reported by David Naori
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Wishlist
Unassigned

Bug Description

[nova-volumes][tgtd]

Currently anyone who is not blocked by iptables (and nova does not implement any related rules by default) can login to targets and get full access to the nova-volumes.

CHAP authentication can be used to prevent this.

See original description
Tags: security
David Naori (davidnaori3)
description: updated
Russell Bryant (russellb)
Changed in nova:
importance: Undecided → Critical
Revision history for this message
Russell Bryant (russellb) wrote :

After looking at this and talking to David Naori, I don't think we need to treat this as a security vulnerability. I think the problem would be a deployment vulnerability as opposed to a code vulnerability. CHAP support would be a very good security hardening enhancement to make, though. There is a blueprint for it, so it's at least on the radar:

https://blueprints.launchpad.net/cinder/+spec/iscsi-chap

There may be some things we can do in documentation to make sure people know that they should make sure that VM guests are not able to directly access volume nodes.

Revision history for this message
Thierry Carrez (ttx) wrote :

I'd agree it's probably not a Nova issue, and more a deployment/packaging issue. By default, Nova needs to be deployed in a way that prevents random VMs from accessing volumes. And a welcome strengthening would be that even in case of internal network compromise, the VMs can't access it either (for example, require CHAP auth).

@Vishy: how could we fix this ?

Changed in nova:
status: New → Confirmed
Revision history for this message
Mark McLoughlin (markmc) wrote :

My quick take on irc was that I'm pretty sure tgtd would not be accessible to VMs from their private network. If a cloud operator makes their management network publicly accessible, then this is an issue ... but clearly that's not a sane deployment choice.

However, I had assumed we had at least host/initiator based access control here - the initialize_connection() method supplies the initiator details and we could configure access control from there. That would be a new feature, though, not suitable for backporting because of the regression risk.

Revision history for this message
Vish Ishaya (vishvananda) wrote :

targets are not available to vms unless the deployer puts the volume service on a vm routable network. While, chap should be supported by default, I agree with mark that this is a new feature and doesn't warrant a backport.

Revision history for this message
Thierry Carrez (ttx) wrote :

OK, then I propose we open up this bug to the public, rename it "Support CHAP auth for volume targets", and consider it a "welcome security strengthening feature" rather than an "exploitable vulnerability". Let me know if you see any problem with that.

Changed in nova:
importance: Critical → Undecided
status: Confirmed → Incomplete
Thierry Carrez (ttx)
security vulnerability: yes → no
visibility: private → public
Changed in nova:
importance: Undecided → Wishlist
status: Incomplete → Confirmed
tags: added: security
summary: - [nova-volume][tgtd][security] Anyone can login to targets
+ [nova-volume][tgtd] Implement authentication to targets
Revision history for this message
Kurt Seifried (kseifried) wrote :

Is the need for such IPTables/firewalling documented in the install/setup documentation? Can someone point me to it? This issue may need a CVE depending on various factors. Thanks.

Revision history for this message
Russell Bryant (russellb) wrote :

This code is no longer in nova. It has moved to Cinder. CHAP support was added in Cinder, so we can consider this done now.

Changed in nova:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.