<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:951977945;
mso-list-type:hybrid;
mso-list-template-ids:-185040662 952148456 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ascii-font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-hansi-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1230264492;
mso-list-type:hybrid;
mso-list-template-ids:-80680856 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal" style="margin-left:18.0pt"><span style="color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt"><span style="color:#1F497D">I’m responsible for the spec for supporting CIS in the glanceclient, as well as the comments which brought some fuss, so would like to clarify some things.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">That’s right – following scenario hasn’t been included at the `Security Impact` section. That’s because there is no real security impact here and I probably should rephrase the sentence to better match
the current implementation status of the CIS. The user which is using the CIS API is not able to read/write any data from the cluster except from images and metadefs. He can’t just ask for any resource type stored there and expect the results. Here is the
quote from the spec comments:<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D">“””Right now any access to resources stored outside of index name `glance` and document type `image` and `metadef` is forbidden by CIS. User is only allowed to play with documents which are registered
within CIS.”””<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="color:#1F497D">Additionally there is an RBAC implemented, but it has been well described in the original spec, so I won’t repeat it here.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D"> </span>“””Would like to also address your concern that proposed shape of spec allows user to upload arbitrary documents to Elasticsearch (ES is the engine used under the hood, we should rather talk
about uploading documents to CIS service) <b>which</b> are not related to Glance in any way (images & metadefs in current implementation).””” -
<span style="color:#1F497D">The meaning of this sentence is (should be) not that storing arbitrary documents at CIS is not an issue of Glance. It says about uploading documents outside of the Glance mission (that’s what I meant by “not related to Glance”) which
is prohibited by the CIS.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt"><span style="color:#1F497D">I would like to make it clear once more – the CIS doesn’t allow the API consumer to operate on any data except Glance images and metadefinitions. CIS is not just exposing “raw” Elasticsearch
capabilities, but it provides strict boundaries - using policy checks, RBAC and namespace protection (index/type in the Elasticsearch world) of what can be stored within it and what can be retrieved from it.<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><o:p> </o:p></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Kuvaja, Erno [mailto:kuvaja@hp.com] <br>
<b>Sent:</b> Monday, April 27, 2015 12:39 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> [openstack-dev] [glance] Call to action, revisit CIS state<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As you probably know CIS was expanded from Juno metadefs work this cycle based on spec [1] provided. The implementation was merged in quite a rush just before feature freeze.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">During the spec review [2] for client functionality for CIS it came to our attention that the implementation exposes Elasticsearch perhaps too openly via it’s API (namely the creation of datasets allows API consumer uploading arbitrary
files via the create request).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Call to action: Please review the CIS functionality again for security threats and bring them up so we can form a plan if we need to address those and request RC3 before release.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have couple of major concerns about this workflow:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l1 level1 lfo4"><![if !supportLists]><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>I was shocked after reading following statement from the client spec review discussion: “””During the Kilo release, we - by we I mean the team responsible for implementing the CIS - have discussed such scenario, that exposing Elasticsearch
capabilities to the user consuming the CIS API can bring some serious security impact.””” This discussion nor the scenario was never brought to attention of the wider Glance community. The spec bluntly states that there is no security impact from the implementation
and the concerns should have been brought up so reviewers would have had better chance to catch possible threats.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l1 level1 lfo4"><![if !supportLists]><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>“””Would like to also address your concern that proposed shape of spec allows user to upload arbitrary documents to Elasticsearch (ES is the engine used under the hood, we should rather talk about uploading documents to CIS service)
which are not related to Glance in any way (images & metadefs in current implementation).””” “””Personally I don't think that discussion about IF is a valid topic, because we've already implemented backend for CIS at the Glance side and you cannot say A without
saying B.””” As long as the code is developed under the Glance project and reviewed by glance-core it’s outrageous to claim that possible issues are not related to Glance in any way. Discussion about if the API is implemented by the spec and fits to the mission
statement is really valid at this point and needs to be thoroughly discussed. We need to find the root cause of this attitude and fix it before it damages the relationships within the community in a way that cannot be fixed.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l1 level1 lfo4"><![if !supportLists]><span style="mso-list:Ignore">3)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>We had two huge pieces of code merging in at the very end of the development cycle Artifacts and CIS and the pressure to merge them in (unfortunately not review but merge) was high. On the artifacts side we had pretty open discussion
about the state, the concerns and plans of timelines address those concerns. With CIS we unfortunately did not have this openness. Was it reflection of 1 & 2 or something else, I do not know, but I surely would like to.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I would like you to look back into those two specs and the comments, look back into the implementation and raise any urgent concerns and please lets try to have good and healthy base for discussion in the Vancouver Summit how we will continue
forward from this! As Stable Branch Liaison I would really like to know what we (and who that we are) are supporting for next couple of cycles, as glance-core I would like to know any concerns about used technology or implementation people might have and as
Glance community member I’d like to see us working together towards these things and definitely not have these “we” vs. “them”/”you” discussions anymore. Bluntly if we need to split the team, let’s do it officially, there is room under big tent for every group
who wants to be with themselves.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards,<o:p></o:p></p>
<p class="MsoNormal">Erno<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[1] <a href="http://specs.openstack.org/openstack/glance-specs/specs/kilo/catalog-index-service.html">
http://specs.openstack.org/openstack/glance-specs/specs/kilo/catalog-index-service.html</a><o:p></o:p></p>
<p class="MsoNormal">[2] <a href="https://review.openstack.org/#/c/173718/">https://review.openstack.org/#/c/173718/</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>