OpenStack Identity (keystone)

Keystone Essex does not support TLS over HTTPS

Bug #980864 reported by Chris Hoge on 2012-04-13

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Unassigned	OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

The most recent stable release of Keystone does not support TLS security over HTTPS. This functionality was available in the Diablo release, but was removed in Essex.

TLS should be enabled by default. Credentials should never be sent to an authentication server as plain text. If OpenStack APIs are made publicly available, the Keystone server must also be on a public interface to be accessible to the Nova, Glance, and Swift client tools. This is a major security vulnerability that impacts all production deployments.

Tags:

Chris Hoge (hoge) on 2012-04-13

visibility:

private → public

Revision history for this message

Adam Young (ayoung) wrote on 2012-04-13:

Steps to run Keystone over HTTPS by running it in Apache HTTPD are posted here:

http://adam.younglogic.com/2012/04/keystone-httpd/

It is possible to set up Apache HTTPD such that admin listens on port 35757 and main is on 5000 by specifying additional virtual host directives for each port.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-04-14:

And it's also possible to run keystone behind an SSL proxy.

security vulnerability:

yes → no

Revision history for this message

Robert Clark (robert-clark) wrote on 2012-04-16:

There's a whole bunch of stuff in OpenStack that currently doesn't implement SSL correctly or incurs significant cost when in use. Generally speaking, we (HP) have had a lot of success using Pound for SSL termination in front of services where we have a clear Confidentiality or Integrity requirement.

That said, I agree that Keystone should be secure by default, with the option for this to be disabled or changed by whoever administers the deployment.

Dolph Mathews (dolph) on 2012-04-23

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

Alan Pevec (apevec) wrote on 2012-06-26:

This is fixed on master https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902
but as a new feature isn't appropriate for stable/essex (see http://wiki.openstack.org/StableBranch#Appropriate_Fixes )
Alternative for stable/essex deployments is to use SSL termination in front of services as suggested in previous comments.

Alan Pevec (apevec) on 2012-06-26

tags:

removed: essex

Thierry Carrez (ttx) on 2012-06-26

Changed in keystone:
status:	Confirmed → Fix Committed

Thierry Carrez (ttx) on 2012-07-04

Changed in keystone:
milestone:	none → folsom-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in keystone:
milestone:	folsom-2 → 2012.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.