OpenStack Compute (nova)

Avoid websocket proxies needing to have matching have config '*_baseurl' configs with compute nodes

Bug #1442048 reported by Nikola Đipanov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Nikola Đipanov
OpenStack Compute (nova) 2015.1.0 "kilo"

Bug Description

As part of the fix for the related bug - we've added protocol checking
to mitigate MITM attacks, however we base protocol checking on a config
option that is normally only intended for compute hosts.

This is quite user hostile, as it is now important that all nodes
running compute and proxy services have this option in sync.

We can do better than that - we can persist the URL the client is
expected to use, and once we get it back on token validation, we can
make sure that the request is using the intended protocol, mitigating
the MITM injected script attacks.

Nikola Đipanov (ndipanov)
tags: added: kilo-rc-potential
Changed in nova:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
John Garbutt (johngarbutt) wrote :

https://review.openstack.org/#/c/169753

Changed in nova:
assignee: nobody → Nikola Đipanov (ndipanov)
John Garbutt (johngarbutt)
Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/169753
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9621ccaf05900009d67cdadeb1aac27368114a61
Submitter: Jenkins
Branch: master

commit 9621ccaf05900009d67cdadeb1aac27368114a61
Author: Nikola Dipanov <email address hidden>
Date: Wed Apr 1 14:42:00 2015 +0100

    websocketproxy: Make protocol validation use connection_info

    With this change, we avoid the need to have config '*_baseurl' config
    options correctly set up on nodes running console-proxy services, as the
    access_url is now available after token validation.

    UpgradeImpact: Websocket proxies need to be upgraded in a lockstep
    with the API nodes up to this commit (or when upgrading to Kilo),
    as older API nodes will not be sending the access_url when authorizing
    console access, and newer proxy services (this commit and onward) would
    fail to authorize such requests.

    Change-Id: I721bca407bf9d3fb33a3461c04d392284448d4a6
    Closes-bug: #1442048

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → kilo-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.