Fuel for OpenStack

Private TLS keys are stored in astute.yaml and as part of certificate bundle on all nodes when selective SSL is used

Bug #1568037 reported by Andrey Bubyr on 2016-04-08

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Confirmed	High	Fuel UI Team	Fuel for OpenStack 10.0
6.0.x	Invalid	High	Unassigned	Fuel for OpenStack 6.0-updates
6.1.x	Invalid	High	Unassigned	Fuel for OpenStack 6.1-updates
7.0.x	Invalid	High	Unassigned	Fuel for OpenStack 7.0-updates
8.0.x	Invalid	High	Unassigned	Fuel for OpenStack 8.0-updates
Mitaka	Invalid	High	Unassigned	Fuel for OpenStack 9.0
Newton	Confirmed	High	Fuel UI Team	Fuel for OpenStack 10.0

Bug Description

Selective TLS expects PEM bundles with certificates chain and private key for each endpoint that should be secured with TLS. Private keys are really needed only on nodes where HAProxy is running. All other nodes should have only certificate chain to establish HAProxy server certs identity

The main problem is that by default astute.yaml contains all data including private keys passed in 'use_ssl' hash. Some mechanism is needed to selectively adjust astute.yaml removing private keys from it if node role is not that role which deploys HAProxy.

Tags:

Andrey Bubyr (abubyr) on 2016-04-08

information type:	Public → Public Security
summary:	- Private TLS keys are stored in astute.yaml and /var/lib/haproxy on all - nodes when selective SSL is used + Private TLS keys are stored in astute.yaml and as part of certificate + bundle on all nodes when selective SSL is used

Bartosz Kupidura (zynzel) on 2016-04-11

tags:	added: area-python feature-security
Changed in fuel:
importance:	Undecided → High
assignee:	nobody → Fuel Python Team (fuel-python)
milestone:	none → 9.0

Revision history for this message

Bug Checker Bot (bug-checker) wrote on 2016-04-11: Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags:

added: need-info

Revision history for this message

Stanislaw Bogatkin (sbogatkin) wrote on 2016-04-11:

I believe that it is a bad idea to cut out private keys from astute.yaml by nailgun. It is pretty much should be smarter way - for example:

1. In case of self-signed certs generated by master node do not copy keys to nodes w/o haproxy.
2. In case of user certs - do not store them in nailgun db at all. We must store them in master node FS some way and then copy them to needed nodes as described in clause 1.

So, I believe that it should be not a bug, but a blueprint. Moved to 10.0.

tags:

added: need-bp

Revision history for this message

Dmitry Pyzhov (dpyzhov) wrote on 2016-04-25:

According to the log this bug is assigned to fuel-ui. I have no idea why it is assigned to 'Registry Administrators' team. Moving it back.

Bug Checker Bot (bug-checker) on 2016-05-17

tags:

removed: need-info

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-06-21:

Why is this bug marked as Invalid for Mitaka / MOS 9.0?

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.