Release Notes for Ubuntu

add release note that OpenStack should be used on a protected network

Bug #978963 reported by Jamie Strandboge on 2012-04-11

20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Release Notes for Ubuntu	Fix Released	Undecided	Unassigned
	horizon (Ubuntu)	Fix Released	High	James Page	Ubuntu ubuntu-12.04
	Precise	Fix Released	High	Unassigned	Ubuntu ubuntu-12.04
	keystone (Ubuntu)	Fix Released	High	James Page	Ubuntu ubuntu-12.04
	Precise	Fix Released	High	Unassigned	Ubuntu ubuntu-12.04

Bug Description

Much of OpenStack is hard-coded to use http instead of https. Of particular interest is keystone which is the identity service for OpenStack. https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuCloud should state that accessing OpenStack over an unprotected network may expose credentials and other information. This is true (at least) when:
* keystone is on a separate server from the other OpenStack components
* horizon (the OpenStack Dashboard) is on a different system than keystone
* users access OpenStack remotely
* users access horizon (the OpenStack dashboard) over http

Adding horizon and keystone tasks.

See original description

Tags:

Jamie Strandboge (jdstrand) on 2012-04-11

Changed in keystone (Ubuntu Precise):
status:	New → Triaged
Changed in horizon (Ubuntu Precise):
status:	New → Triaged
Changed in keystone (Ubuntu Precise):
importance:	Undecided → High
milestone:	none → ubuntu-12.04
Changed in horizon (Ubuntu Precise):
milestone:	none → ubuntu-12.04
importance:	Undecided → High
description:	updated

Revision history for this message

Dave Walker (davewalker) wrote on 2012-04-25:

#1

Release Note Added:

* The default install of Openstack should be used on a protected network, as many components use http (non-SSL) as a transport, and therefore subject to security concerns. This can be mitigated by post install customisations.

https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuServer

Revision history for this message

Dave Walker (davewalker) wrote on 2012-04-25:

#2

@dstrand: Please comment if you want further additions.

Changed in ubuntu-release-notes:
status:	New → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-25:

#3

Keystone cannot be mitigated by post install customizations AFAIK. Horizon can be delivered through standard https.

Andy Whitcroft (apw) on 2012-04-26

Changed in ubuntu-release-notes:
status:	Fix Committed → Fix Released

Revision history for this message

Adrien Cunin (adri2000) wrote on 2012-10-03:

#4

Why do we keep horizon and keystone tasks?

By the way, I think it's possible to mitigate this issue in Keystone using Apache. See http://adam.younglogic.com/2012/04/keystone-httpd/ to set it up and be able to use https:// for Keystone.

James Page (james-page) on 2012-10-09

Changed in horizon (Ubuntu):
assignee:	nobody → James Page (james-page)
Changed in keystone (Ubuntu):
assignee:	nobody → James Page (james-page)
Changed in keystone (Ubuntu Precise):
status:	Triaged → Fix Released
Changed in horizon (Ubuntu Precise):
status:	Triaged → Fix Released

Revision history for this message

James Page (james-page) wrote on 2012-10-12:

#5

Keystone and Horizon are the default external access routes to OpenStack.

The default package configuration still uses http.

Added to quantal release notes.

Changed in keystone (Ubuntu):
status:	Triaged → Fix Released
Changed in horizon (Ubuntu):
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #978961

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.