Ubuntu

add release note that OpenStack should be used on a protected network

Reported by Jamie Strandboge on 2012-04-11
20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Undecided
Unassigned
horizon (Ubuntu)
High
James Page
Precise
High
Unassigned
keystone (Ubuntu)
High
James Page
Precise
High
Unassigned

Bug Description

Much of OpenStack is hard-coded to use http instead of https. Of particular interest is keystone which is the identity service for OpenStack. https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuCloud should state that accessing OpenStack over an unprotected network may expose credentials and other information. This is true (at least) when:
* keystone is on a separate server from the other OpenStack components
* horizon (the OpenStack Dashboard) is on a different system than keystone
* users access OpenStack remotely
* users access horizon (the OpenStack dashboard) over http

Adding horizon and keystone tasks.

Changed in keystone (Ubuntu Precise):
status: New → Triaged
Changed in horizon (Ubuntu Precise):
status: New → Triaged
Changed in keystone (Ubuntu Precise):
importance: Undecided → High
milestone: none → ubuntu-12.04
Changed in horizon (Ubuntu Precise):
milestone: none → ubuntu-12.04
importance: Undecided → High
description: updated
Dave Walker (davewalker) wrote :

Release Note Added:

* The default install of Openstack should be used on a protected network, as many components use http (non-SSL) as a transport, and therefore subject to security concerns. This can be mitigated by post install customisations.

https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuServer

Dave Walker (davewalker) wrote :

@dstrand: Please comment if you want further additions.

Changed in ubuntu-release-notes:
status: New → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Keystone cannot be mitigated by post install customizations AFAIK. Horizon can be delivered through standard https.

Andy Whitcroft (apw) on 2012-04-26
Changed in ubuntu-release-notes:
status: Fix Committed → Fix Released
Adrien Cunin (adri2000) wrote :

Why do we keep horizon and keystone tasks?

By the way, I think it's possible to mitigate this issue in Keystone using Apache. See http://adam.younglogic.com/2012/04/keystone-httpd/ to set it up and be able to use https:// for Keystone.

James Page (james-page) on 2012-10-09
Changed in horizon (Ubuntu):
assignee: nobody → James Page (james-page)
Changed in keystone (Ubuntu):
assignee: nobody → James Page (james-page)
Changed in keystone (Ubuntu Precise):
status: Triaged → Fix Released
Changed in horizon (Ubuntu Precise):
status: Triaged → Fix Released
James Page (james-page) wrote :

Keystone and Horizon are the default external access routes to OpenStack.

The default package configuration still uses http.

Added to quantal release notes.

Changed in keystone (Ubuntu):
status: Triaged → Fix Released
Changed in horizon (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers