<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sun, Aug 9, 2015 at 11:59 PM, Tony Breeds <span dir="ltr"><<a href="mailto:tony@bakeyournoodle.com" target="_blank">tony@bakeyournoodle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi All,<br>
Nova has bug: <a href="https://bugs.launchpad.net/nova/+bug/1447679" rel="noreferrer" target="_blank">https://bugs.launchpad.net/nova/+bug/1447679</a> (service No-VNC<br>
(port 6080) doesn't require authentication).<br>
<br>
Which explains that if you know the 'token'[1] associated with an instances<br>
console you can get access to said console without otherwise proving that you<br>
should be allowed access to that instance[3].<br>
<br>
Nothing limits the problem to VNC, so all console types are potentially affected.<br>
<br>
There is a proposed solution (<a href="https://review.openstack.org/#/c/182129" rel="noreferrer" target="_blank">https://review.openstack.org/#/c/182129</a>) which<br>
adds a config option that means a token is only valid for a single usei[4].<br>
The assertion is that bookmarking a URL to a console and then using it multiple<br>
times is something that we want to still allow albeit discouraged. When the<br>
config value is introduced it will default to False (meaning that the<br>
bookmarking scenario above will still work). At some stage it'd be ideal to<br>
invert this so that the option is True and operators can switch it if<br>
appropriate.<br></blockquote><div><br></div><div>I'm not excited about making this the default until token revocations don't impact performance the way that they do now. I don't know how often this would get exercised though, but the impact of 100+ token revokes is noticeable on every API call.</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I don't think that much of that in controversial, my question is what should<br>
the schedule for switching this be? Assuming we land a fix in Liberty[5], make<br>
the change in Mitaka? Norbert?<br>
<br>
Also is being able to bookmark/save the token a thing that users do?<br>
<br>
Yours Tony.<br>
<br>
[1] How you get that token isn't really the issue, it could be a network or<br>
browser issue [2]<br>
[2] I should look at the documentation of how we configure console access to<br>
ensure it's "secure" by default<br>
[3] Even if the console isn't logged in this is a bad thing(tm)<br>
[4] There is an outstanding issue with SPICE that is being looked into<br>
[5] Which isn't a given.<br>
<br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div><br></div></div>