[Openstack-operators] Gaining access to consoles.
matt at mattfischer.com
Tue Aug 11 01:16:43 UTC 2015
On Sun, Aug 9, 2015 at 11:59 PM, Tony Breeds <tony at bakeyournoodle.com>
> Hi All,
> Nova has bug: https://bugs.launchpad.net/nova/+bug/1447679 (service
> (port 6080) doesn't require authentication).
> Which explains that if you know the 'token' associated with an instances
> console you can get access to said console without otherwise proving that
> should be allowed access to that instance.
> Nothing limits the problem to VNC, so all console types are potentially
> There is a proposed solution (https://review.openstack.org/#/c/182129)
> adds a config option that means a token is only valid for a single usei.
> The assertion is that bookmarking a URL to a console and then using it
> times is something that we want to still allow albeit discouraged. When
> config value is introduced it will default to False (meaning that the
> bookmarking scenario above will still work). At some stage it'd be ideal
> invert this so that the option is True and operators can switch it if
I'm not excited about making this the default until token revocations don't
impact performance the way that they do now. I don't know how often this
would get exercised though, but the impact of 100+ token revokes is
noticeable on every API call.
> I don't think that much of that in controversial, my question is what
> the schedule for switching this be? Assuming we land a fix in Liberty,
> the change in Mitaka? Norbert?
> Also is being able to bookmark/save the token a thing that users do?
> Yours Tony.
>  How you get that token isn't really the issue, it could be a network or
> browser issue 
>  I should look at the documentation of how we configure console access
> ensure it's "secure" by default
>  Even if the console isn't logged in this is a bad thing(tm)
>  There is an outstanding issue with SPICE that is being looked into
>  Which isn't a given.
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators