It is possible to affect OpenStack infrastructure from any Murano instance.

Bug #1230574 reported by Timur Nurlygayanov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Murano
Fix Released
Medium
Unassigned

Bug Description

Today we have a duscussion of a part of Murano architecture with Mike Scherbakov. He pointed out that we have a serious security issue in our infrastructure - RabbitMQ clients from tenants instances have access to the OpenStack RabbitMQ server. This means that it is possible to bruteforce a password for RabbitMQ server from ANY instance, and to affect the entire OpenStack installation.

To move the problem from "affecting entire OpenStack" to "affecting Murano only" it is required to limit the ability to access a RabbitMQ server from instances. The preferred way to do it for now is to install a separate RabbitMQ server which will be accessible from Murano components only (api, conductor, agent).

The second part of the problem is that it won't be able to access management network (where separate RabbitMQ could be located) from instances. So it is required to limit the access from instance to OpenStack Management network. One possible way to do this is to provide metadata-service-like way to access RabbitMQ. This means that we point Murano Agent to the 169.254.169.254:5672 endpoint, which will be redirected to the Murano RabbitMQ by Quantum/Neutron rules or some other means.

-----

However, this is not enough. There is still a chance to bruteforce a password for "Murano RabbitMQ" and to affect Murano instances from other tenants. This concern is "affecting Murano only", so there should be created another bug.

Changed in murano:
importance: Undecided → Medium
Changed in murano:
milestone: none → 0.3
Changed in murano:
status: New → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.