[EDP] Swift credentials passed in plain text
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Sahara |
Fix Released
|
Critical
|
Trevor McKay |
Bug Description
For Sahara, we support job binaries and data sources in Swift. Job binaries are accessed from the Sahara process, and data sources are accessed from Hadoop at job execution time. Username/password credentials are required for swift access. These credentials might be/are compromised in the following ways:
1) For both job binaries and data sources, objects are created and stored in the Sahara database that contain the path and the associated credentials in plain text. Anyone gaining access to the database can therefore read the username/password credentials stored there with the swift path.
2) For data sources, the credentials are passed as part of the Hadoop job configuration. Currently all Hadoop jobs are run as Oozie workflows. The swift username and password values are set in the workflow.xml file, and are visible to anyone that can access the Oozie UI console, use the Oozie command line to retrieve the workflow.xml, or even use hadoop fs to look at the files uploaded for the job (which include the workflow.xml)
We need a way for Sahara and Hadoop to access swift objects securely, without exposing swift credentials in workflow.xml or storing them in the database in plain text. In the future we will support mechanisms other than Oozie so this is not just an Oozie issue per se.
For further background, here is the Hadoop patch that allows Hadoop to access swift paths. It uses a service suffix in the netlocation portion of the URL to match the URL against credential values in the job configuration. Any solution to this issue will require a new patch to Hadoop itself, as well as changes to the Sahara code base.
https:/
It's been suggested within the Sahara team that we can potentially accomplish this with trusts.
Note, this vulnerability isn't really a secret to anyone observant who is familiar with Sahara EDP, but it is probably better not to trumpet it too loudly.
description: | updated |
tags: | added: security |
Changed in sahara: | |
milestone: | none → juno-1 |
milestone: | juno-1 → juno-3 |
Changed in sahara: | |
importance: | High → Critical |
Changed in sahara: | |
milestone: | juno-3 → juno-rc1 |
Changed in sahara: | |
status: | Fix Committed → Fix Released |
Changed in sahara: | |
milestone: | juno-rc1 → 2014.2 |
It sounds like Swift's tempurl feature would work perfectly for this. It's based on a shared secret stored in the Swift account metadata.
http:// docs.openstack. org/developer/ swift/middlewar e.html# tempurl