kolla-ansible

Unauthenticated access to Skydive's UI by default

Bug #1870903 reported by Nick Jones
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Mark Goddard
kolla-ansible 10.0.0 "ussuri"
Stein
Fix Released
Medium
Dincer Celik
kolla-ansible 8.1.1 "stein"
Train
Fix Released
Medium
Dincer Celik
kolla-ansible 9.1.0 "Train"
Ussuri
Fix Released
Medium
Mark Goddard
kolla-ansible 10.0.0 "ussuri"

Bug Description

Skydive exposes its Web UI externally via port 8085, and currently as it's configured by K-A is deployed without any authentication necessary to inspect packet flows.

This should be password protected, either via basic HTTP authentication or by using Skydive's support for Keystone auth.

I think in the past this would have been password protected, but recent restructuring of Skydive's configuration file and the various authentication related settings means that K-A's templated config is ignored, and instead the defaults are used which leave Skydive open to the world.

Nick Jones (yankcrime)
Changed in kolla-ansible:
status: New → In Progress
assignee: nobody → Nick Jones (yankcrime)
information type: Private Security → Public
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/717596

Dincer Celik (dincercelik)
Changed in kolla-ansible:
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
assignee: Nick Jones (yankcrime) → Mark Goddard (mgoddard)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/717596
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=7e5aa637283b32eaceaf0495794626a1fdeecd82
Submitter: Zuul
Branch: master

commit 7e5aa637283b32eaceaf0495794626a1fdeecd82
Author: Nick Jones <email address hidden>
Date: Sun Apr 5 12:46:20 2020 +0100

    [skydive] fix: Use Keystone backend to authenticate API users

    Update Skydive Analyzer's configuration to use Keystone as its backend
    for authenticating users. Any user with a role in the project defined
    by the variable skydive_admin_tenant_name will be able to access
    Skydive.

    Change-Id: I64c811d5eb72c7406fd52b649fa00edaf2d0c07b
    Closes-Bug: 1870903

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/723132

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/723133

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/stein)

Reviewed: https://review.opendev.org/723133
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=31f09efd16f1db52d8f38074ddbfa7c0b36c40b2
Submitter: Zuul
Branch: stable/stein

commit 31f09efd16f1db52d8f38074ddbfa7c0b36c40b2
Author: Nick Jones <email address hidden>
Date: Sun Apr 5 12:46:20 2020 +0100

    [skydive] fix: Use Keystone backend to authenticate API users

    Update Skydive Analyzer's configuration to use Keystone as its backend
    for authenticating users. Any user with a role in the project defined
    by the variable skydive_admin_tenant_name will be able to access
    Skydive.

    Change-Id: I64c811d5eb72c7406fd52b649fa00edaf2d0c07b
    Closes-Bug: 1870903
    (cherry picked from commit 7e5aa637283b32eaceaf0495794626a1fdeecd82)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/723132
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=44c0115d2183c586b9a5e91f6199eee44b46732e
Submitter: Zuul
Branch: stable/train

commit 44c0115d2183c586b9a5e91f6199eee44b46732e
Author: Nick Jones <email address hidden>
Date: Sun Apr 5 12:46:20 2020 +0100

    [skydive] fix: Use Keystone backend to authenticate API users

    Update Skydive Analyzer's configuration to use Keystone as its backend
    for authenticating users. Any user with a role in the project defined
    by the variable skydive_admin_tenant_name will be able to access
    Skydive.

    Change-Id: I64c811d5eb72c7406fd52b649fa00edaf2d0c07b
    Closes-Bug: 1870903
    (cherry picked from commit 7e5aa637283b32eaceaf0495794626a1fdeecd82)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.