Juju should only give security warnings on bootstrap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyjuju |
Triaged
|
Low
|
Unassigned |
Bug Description
Juju has several warnings to tell users that the situation they're deploying in has the ability to be attacked. One of those is if you're using http URLs in an ec2 provider. The warnings are like this:
2012-06-12 23:47:06,123 WARNING EC2 API calls not using secure transport
2012-06-12 23:47:06,123 WARNING S3 API calls not using secure transport
These warnings, while informative, come way too often. For instance, when deploying you can get them up to eight times. This isn't useful information as the user rarely has control over these URLs, but should know the situation that they're in at some point. I think that point is during bootstrap. When creating the boot strap Juju should warn about the insecure environment, and beyond that should assume the user has been told about their setup.
Changed in juju: | |
status: | Confirmed → Triaged |
Changed in juju: | |
importance: | Medium → Low |
Hi Ted, thanks for opening this.
Bootstrap isn't quite strong enough. In a real world example, bootstrap may happen once, and then many admins will come along afterward and can *change* the environment URLs in their own copy of environments.yaml.
I think the right thing to do is to provide an option to suppress these warnings per-environment.
we have ssl-hostname- verification: (bool) already. Lets add 'ignore- insecure- transport: (bool)'. We can default it to false, and then change the message to something like this:
2012-06-12 23:47:06,123 WARNING EC2 API calls not using secure transport (ignore- insecure- transport= False)
Sound good?