[Openstack-security] [Bug 1321906] Re: [EDP] Swift credentials passed in plain text

Thierry Carrez thierry.carrez+lp at gmail.com
Thu Oct 16 09:40:06 UTC 2014 

** Changed in: sahara
    Milestone: juno-rc1 => 2014.2

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1321906

Title:
  [EDP] Swift credentials passed in plain text

Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Data Processing (Sahara, ex. Savanna):
  Fix Released

Bug description:
  For Sahara, we support job binaries and data sources in Swift.  Job
  binaries are accessed from the Sahara process, and data sources are
  accessed from Hadoop at job execution time.  Username/password
  credentials are required for swift access.  These credentials might
  be/are compromised in the following ways:

  1) For both job binaries and data sources, objects are created and
  stored in the Sahara database that contain the path and the associated
  credentials in plain text.  Anyone gaining access to the database can
  therefore read the username/password credentials stored there with the
  swift path.

  2) For data sources, the credentials are passed as part of the Hadoop
  job configuration.  Currently all Hadoop jobs are run as Oozie
  workflows.  The swift username and password values are set in the
  workflow.xml file, and are visible to anyone that can access the Oozie
  UI console, use the Oozie command line to retrieve the workflow.xml,
  or even use hadoop fs to look at the files uploaded for the job (which
  include the workflow.xml)

  We need a way for Sahara and Hadoop to access swift objects securely,
  without exposing swift credentials in workflow.xml or storing them in
  the database in plain text.  In the future we will support mechanisms
  other than Oozie so this is not just an Oozie issue per se.

  For further background, here is the Hadoop patch that allows Hadoop to
  access swift paths.  It uses a service suffix in the netlocation
  portion of the URL to match the URL against credential values in the
  job configuration.  Any solution to this issue will require a new
  patch to Hadoop itself, as well as changes to the Sahara code base.

  https://issues.apache.org/jira/browse/HADOOP-8545

  It's been suggested within the Sahara team that we can potentially
  accomplish this with trusts.

  Note, this vulnerability isn't really a secret to anyone observant who
  is familiar with Sahara EDP, but it is probably better not to trumpet
  it too loudly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1321906/+subscriptions

More information about the Openstack-security mailing list