kolla-ansible

Kibana to Elasticsearch TLS communication is unverified by default

Series train
Bug #1885110

Bug #1885110 reported by Mark Goddard on 2020-06-25

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
kolla-ansible	Fix Released	Medium	Mark Goddard	kolla-ansible 11.0.0 "victoria"
Train	Fix Committed	Medium	Radosław Piliszek
Ussuri	Fix Committed	Medium	Radosław Piliszek
Victoria	Fix Released	Medium	Mark Goddard	kolla-ansible 11.0.0 "victoria"

Bug Description

Currently, if internal TLS communication is enabled, Kibana to Elasticsearch communication is unverified. This is because we set elasticsearch.ssl.verificationMode to 'none' by default (via kibana_elasticsearch_ssl_verify). This is poor a security posture.

Mark Goddard (mgoddard) on 2020-06-25

Changed in kolla-ansible:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-25: Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/737938

Changed in kolla-ansible:
assignee:	nobody → Mark Goddard (mgoddard)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-26: Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/737938
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=e91fd969ace4c83cd461378419dd6aa96399edc2
Submitter: Zuul
Branch: master

commit e91fd969ace4c83cd461378419dd6aa96399edc2
Author: Mark Goddard <email address hidden>
Date: Fri Jun 19 12:56:54 2020 +0000

Verify TLS by default for Kibana to Elasticsearch

    Currently, if internal TLS communication is enabled, Kibana to
    Elasticsearch communication is unverified. This is because we set
    elasticsearch.ssl.verificationMode to 'none' by default (via
    kibana_elasticsearch_ssl_verify). This is poor a security
    posture.

This change changes the default value of
'kibana_elasticsearch_ssl_verify' to 'true'.

Change-Id: Ie4fa8e3a60d69cf5c4bdd975030c92be8113ffb1
Closes-Bug: #1885110

Changed in kolla-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-27: Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/738306

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-27: Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/738307

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-27: Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/738307
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=aa2d2b53452a614a5d3f08c3c66009f0c2a226a0
Submitter: Zuul
Branch: stable/train

commit aa2d2b53452a614a5d3f08c3c66009f0c2a226a0
Author: Mark Goddard <email address hidden>
Date: Fri Jun 19 12:56:54 2020 +0000

Verify TLS by default for Kibana to Elasticsearch

    Currently, if internal TLS communication is enabled, Kibana to
    Elasticsearch communication is unverified. This is because we set
    elasticsearch.ssl.verificationMode to 'none' by default (via
    kibana_elasticsearch_ssl_verify). This is poor a security
    posture.

This change changes the default value of
'kibana_elasticsearch_ssl_verify' to 'true'.

    Change-Id: Ie4fa8e3a60d69cf5c4bdd975030c92be8113ffb1
    Closes-Bug: #1885110
    (cherry picked from commit e91fd969ace4c83cd461378419dd6aa96399edc2)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-27: Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/738306
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=73b6ccd1f180d39200dd143297dd3909c2b0e119
Submitter: Zuul
Branch: stable/ussuri

commit 73b6ccd1f180d39200dd143297dd3909c2b0e119
Author: Mark Goddard <email address hidden>
Date: Fri Jun 19 12:56:54 2020 +0000

Verify TLS by default for Kibana to Elasticsearch

    Currently, if internal TLS communication is enabled, Kibana to
    Elasticsearch communication is unverified. This is because we set
    elasticsearch.ssl.verificationMode to 'none' by default (via
    kibana_elasticsearch_ssl_verify). This is poor a security
    posture.

This change changes the default value of
'kibana_elasticsearch_ssl_verify' to 'true'.

    Change-Id: Ie4fa8e3a60d69cf5c4bdd975030c92be8113ffb1
    Closes-Bug: #1885110
    (cherry picked from commit e91fd969ace4c83cd461378419dd6aa96399edc2)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.