It is possible to affect OpenStack infrastructure from any Murano instance.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Murano |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Today we have a duscussion of a part of Murano architecture with Mike Scherbakov. He pointed out that we have a serious security issue in our infrastructure - RabbitMQ clients from tenants instances have access to the OpenStack RabbitMQ server. This means that it is possible to bruteforce a password for RabbitMQ server from ANY instance, and to affect the entire OpenStack installation.
To move the problem from "affecting entire OpenStack" to "affecting Murano only" it is required to limit the ability to access a RabbitMQ server from instances. The preferred way to do it for now is to install a separate RabbitMQ server which will be accessible from Murano components only (api, conductor, agent).
The second part of the problem is that it won't be able to access management network (where separate RabbitMQ could be located) from instances. So it is required to limit the access from instance to OpenStack Management network. One possible way to do this is to provide metadata-
-----
However, this is not enough. There is still a chance to bruteforce a password for "Murano RabbitMQ" and to affect Murano instances from other tenants. This concern is "affecting Murano only", so there should be created another bug.
Changed in murano: | |
importance: | Undecided → Medium |
Changed in murano: | |
milestone: | none → 0.3 |
Changed in murano: | |
status: | New → Fix Committed |
status: | Fix Committed → Fix Released |