[nova-volume][tgtd] Implement authentication to targets
Bug #1025667 reported by
David Naori
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Wishlist
|
Unassigned |
Bug Description
[nova-volumes]
Currently anyone who is not blocked by iptables (and nova does not implement any related rules by default) can login to targets and get full access to the nova-volumes.
CHAP authentication can be used to prevent this.
description: | updated |
Changed in nova: | |
importance: | Undecided → Critical |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in nova: | |
importance: | Undecided → Wishlist |
status: | Incomplete → Confirmed |
tags: | added: security |
summary: |
- [nova-volume][tgtd][security] Anyone can login to targets + [nova-volume][tgtd] Implement authentication to targets |
To post a comment you must log in.
After looking at this and talking to David Naori, I don't think we need to treat this as a security vulnerability. I think the problem would be a deployment vulnerability as opposed to a code vulnerability. CHAP support would be a very good security hardening enhancement to make, though. There is a blueprint for it, so it's at least on the radar:
https:/ /blueprints. launchpad. net/cinder/ +spec/iscsi- chap
There may be some things we can do in documentation to make sure people know that they should make sure that VM guests are not able to directly access volume nodes.