tripleo

Keystone Private Key not securely sent to host

Bug #1401300 reported by Gregory Haynes
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Expired
Undecided
Unassigned

Bug Description

We now use heat + oac to send the keystone ssl key to the keystone host. This is not a secure communication channel and leaves the key permanently stored in bothe the heat database and available via the cfn api.

Gregory Haynes (greghaynes)
Changed in tripleo:
assignee: nobody → Gregory Haynes (greghaynes)
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

11:17 < greghaynes> ok, I can take on assessing it since im pretty familiar with whats going on

Proof he wants this. ;)

Revision history for this message
Gregory Haynes (greghaynes) wrote :

So this is an issue for a couple reasons:

* We appear to be using http (not TLS) to hit the cfn endpoint.
* Anyone who can spoof an IP and has the OS_* credentials can simply request this data (all the nodes that makes up a cloud, basically)

Additionally, were transmitting db passwords using this same mechanism. This means that even if we transmit the keystone key out of band anyone can get they keystone db password and then grab tokens out of the db.

Gregory Haynes (greghaynes)
Changed in tripleo:
assignee: Gregory Haynes (greghaynes) → nobody
Revision history for this message
Gregory Haynes (greghaynes) wrote :

Some new priorities have come up and I wont have time to hash this out. This is still a serious issue, though.

Revision history for this message
Robert Collins (lifeless) wrote :

I don't think is as critical as portrayed... anyone who has the OS_* credentials can just pull the stack details anyway, no IP spoofing needed.

The use of HTTP rather than HTTPS is indeed a concern, though of course the TFTP stage is also attackable.

As far as the details being in heat being a concern: as our source of config, if heat is compromised, it can cause havoc in nearly every fashion.

tl;dr I think the plan of using barbican when its stable is still good, but we don't need to panic.

Revision history for this message
Gregory Haynes (greghaynes) wrote :

If we want to consider all hosts in our cluster at the same priviledge level then thats ok. I would like to think that a compromised compute node would not compromise the entire cluster, but if AIUI its trivial for a compute node to request the CFN data for the whole stack.

Gregory Haynes (greghaynes)
Changed in tripleo:
importance: Critical → High
Revision history for this message
Emilien Macchi (emilienm) wrote : Cleanup EOL bug report

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
  Only still supported release names are valid (LIBERTY, MITAKA, NEWTON, OCATA, PIKE, PIKE).
  Valid example: CONFIRMED FOR: LIBERTY

Changed in tripleo:
importance: High → Undecided
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.