Unauthenticated access to Skydive's UI by default
Bug #1870903 reported by
Nick Jones
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
Medium
|
Mark Goddard | ||
Stein |
Fix Released
|
Medium
|
Dincer Celik | ||
Train |
Fix Released
|
Medium
|
Dincer Celik | ||
Ussuri |
Fix Released
|
Medium
|
Mark Goddard |
Bug Description
Skydive exposes its Web UI externally via port 8085, and currently as it's configured by K-A is deployed without any authentication necessary to inspect packet flows.
This should be password protected, either via basic HTTP authentication or by using Skydive's support for Keystone auth.
I think in the past this would have been password protected, but recent restructuring of Skydive's configuration file and the various authentication related settings means that K-A's templated config is ignored, and instead the defaults are used which leave Skydive open to the world.
Changed in kolla-ansible: | |
status: | New → In Progress |
assignee: | nobody → Nick Jones (yankcrime) |
information type: | Private Security → Public |
Changed in kolla-ansible: | |
importance: | Undecided → Medium |
Changed in kolla-ansible: | |
assignee: | Nick Jones (yankcrime) → Mark Goddard (mgoddard) |
To post a comment you must log in.
Fix proposed to branch: master /review. opendev. org/717596
Review: https:/