<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body ocsi="0" fpstyle="1">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Ah. I was going to bring this up eventually but hadn't gotten to it yet.<br>
<br>
I started up a patch for adding similar support for horizon here:<br>
<a href="https://review.openstack.org/#/c/311189/" target="_blank">https://review.openstack.org/#/c/311189/</a><br>
<br>
My intention is to use it to make a Horizon Plugin to speak to a Keystone authenticated Kubernetes api directly.<br>
<br>
Thanks,<br>
Kevin<br>
<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF517886"><font face="Tahoma" color="#000000" size="2"><b>From:</b> Timur Sufiev [tsufiev@mirantis.com]<br>
<b>Sent:</b> Wednesday, June 29, 2016 2:10 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client<br>
</font><br>
</div>
<div></div>
<div>
<div dir="ltr">
<div>Hello, vigilant folks of OpenStack Security team!</div>
<div><br>
</div>
<div>The commit(s) I'd like you to take a look at introduces a new Horizon feature, Create (Glance) Image using CORS (AKA Cross-Origin Resource Sharing) [1]. </div>
<div><br>
</div>
<div>The main idea is to bypass Horizon web-server when uploading large local image and to send it directly to Glance server, thus saving network bandwidth and disk space on the controller node where Horizon web-server is deployed. However there is one possible
security trade-off I had to make so that Glance service would allow me to upload an image - I'm passing the Keystone token to the Horizon JS runtime [2], and then pass it to Glance service [3] or [4] (different links here correspond to different versions of
new Create Image - Django and Angular). This trade-off made Horizon community somewhat hesitant if we should push these changes forward, but nobody yet voiced a viable alternative, so here I'm writing this letter to you.</div>
<div><br>
</div>
<div>The usual Horizon workflow for working with Keystone tokens is the following: retrieve scoped token and put it into web-server session, which is itself not exposed to browser (unless SESSION_STORAGE signed_cookies backend was chosen, but even in that case
session contents are encrypted in some way), but is kept on web-server and referenced using the session key which is kept in browser cookies - so one may say that in existing setup keystone token never leaks to browser.</div>
<div><br>
</div>
<div>On the other hand, in some not so far (I hope) future, when more logic is moved to client-side UI (i.e. browser), the issue of browser authenticating to some OpenStack services directly would become more widespread, it just happened that this work on Create
Image in Horizon is pioneering this area (AFAIK). So, what do you think of possible security implications of this setup?</div>
<div><br>
</div>
<div>Just for the reference, three patches mentioned in [1-3] implement most of the logic of new Create Image feature.</div>
<div><br>
</div>
<div>[1] <a href="https://blueprints.launchpad.net/horizon/+spec/horizon-glance-large-image-upload" target="_blank">
https://blueprints.launchpad.net/horizon/+spec/horizon-glance-large-image-upload</a></div>
<div>[2] <a href="https://review.openstack.org/#/c/317365/15/openstack_dashboard/api/glance.py@215" target="_blank">
https://review.openstack.org/#/c/317365/15/openstack_dashboard/api/glance.py@215</a></div>
<div>[3] <a href="https://review.openstack.org/#/c/230434/37/horizon/static/horizon/js/horizon.modals.js@212" target="_blank">
https://review.openstack.org/#/c/230434/37/horizon/static/horizon/js/horizon.modals.js@212</a></div>
<div>[4] <a href="https://review.openstack.org/#/c/317456/16/openstack_dashboard/static/app/core/openstack-service-api/glance.service.js@151" target="_blank">
https://review.openstack.org/#/c/317456/16/openstack_dashboard/static/app/core/openstack-service-api/glance.service.js@151</a></div>
</div>
</div>
</div>
</div>
</body>
</html>