OpenStack Identity (Keystone)

Keystone Essex does not support TLS over HTTPS

Reported by Chris Hoge on 2012-04-13
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Keystone
Wishlist
Unassigned

Bug Description

The most recent stable release of Keystone does not support TLS security over HTTPS. This functionality was available in the Diablo release, but was removed in Essex.

TLS should be enabled by default. Credentials should never be sent to an authentication server as plain text. If OpenStack APIs are made publicly available, the Keystone server must also be on a public interface to be accessible to the Nova, Glance, and Swift client tools. This is a major security vulnerability that impacts all production deployments.

Chris Hoge (hoge) on 2012-04-13
visibility: private → public
Adam Young (ayoung) wrote :

Steps to run Keystone over HTTPS by running it in Apache HTTPD are posted here:

http://adam.younglogic.com/2012/04/keystone-httpd/

It is possible to set up Apache HTTPD such that admin listens on port 35757 and main is on 5000 by specifying additional virtual host directives for each port.

Thierry Carrez (ttx) wrote :

And it's also possible to run keystone behind an SSL proxy.

security vulnerability: yes → no
Robert Clark (robert-clark) wrote :

There's a whole bunch of stuff in OpenStack that currently doesn't implement SSL correctly or incurs significant cost when in use. Generally speaking, we (HP) have had a lot of success using Pound for SSL termination in front of services where we have a clear Confidentiality or Integrity requirement.

That said, I agree that Keystone should be secure by default, with the option for this to be disabled or changed by whoever administers the deployment.

Dolph Mathews (dolph) on 2012-04-23
Changed in keystone:
status: New → Confirmed
importance: Undecided → Wishlist
Alan Pevec (apevec) wrote :

This is fixed on master https://github.com/openstack/keystone/commit/8de61f8af43563b1d93291c868634810d9e42902
but as a new feature isn't appropriate for stable/essex (see http://wiki.openstack.org/StableBranch#Appropriate_Fixes )
Alternative for stable/essex deployments is to use SSL termination in front of services as suggested in previous comments.

Alan Pevec (apevec) on 2012-06-26
tags: removed: essex
Thierry Carrez (ttx) on 2012-06-26
Changed in keystone:
status: Confirmed → Fix Committed
Thierry Carrez (ttx) on 2012-07-04
Changed in keystone:
milestone: none → folsom-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in keystone:
milestone: folsom-2 → 2012.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers