Eucalyptus does not allow api connection over https
Bug #480783 reported by
Nick Barcet
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Eucalyptus |
Fix Released
|
Medium
|
chris grzegorczyk | ||
eucalyptus (Ubuntu) |
Fix Released
|
High
|
Dustin Kirkland |
Bug Description
It seems to be a security issue that Eucalyptus does not allow API connection to happen over an encrypted connection. Currently API calls occur over http on port 8773. As they carry QueryID/SecretKey in clear, anyone that can sniff the network can gain admin privileges on eucalyptus.
As a side effect, in order for landscape to manage a UEC setup, the following ugly workaround needs to be applied https:/
description: | updated |
Changed in eucalyptus (Ubuntu): | |
importance: | Undecided → High |
Changed in eucalyptus (Ubuntu): | |
status: | Incomplete → In Progress |
assignee: | nobody → Dustin Kirkland (kirkland) |
Changed in eucalyptus: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
A clear issue here is that if Eucalyptus generates its own SSL certificate, the tools accessing it via https won't be able to automatically trust the connection because the cert will be unsigned.
I think a good option would be to have http on 8773 and https on another port if the user has specified a simple configuration option to use a legitimate SSL certificate. This would allow for easy setup on purely private clouds, but also not prevent people from slightly exposing their setup to the internet if they wish to use an external control tool such as Landscape or RightScale.