Keystone Essex does not support TLS over HTTPS
Bug #980864 reported by
Chris Hoge
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
The most recent stable release of Keystone does not support TLS security over HTTPS. This functionality was available in the Diablo release, but was removed in Essex.
TLS should be enabled by default. Credentials should never be sent to an authentication server as plain text. If OpenStack APIs are made publicly available, the Keystone server must also be on a public interface to be accessible to the Nova, Glance, and Swift client tools. This is a major security vulnerability that impacts all production deployments.
visibility: | private → public |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
tags: | removed: essex |
Changed in keystone: | |
status: | Confirmed → Fix Committed |
Changed in keystone: | |
milestone: | none → folsom-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | folsom-2 → 2012.2 |
To post a comment you must log in.
Steps to run Keystone over HTTPS by running it in Apache HTTPD are posted here:
http:// adam.younglogic .com/2012/ 04/keystone- httpd/
It is possible to set up Apache HTTPD such that admin listens on port 35757 and main is on 5000 by specifying additional virtual host directives for each port.