[Openstack-security] [Bug 1158328] Re: passwords in config files stored in plaintext
Glenn Ferguson
Glenn.Ferguson at wellsfargo.com
Fri Sep 12 20:21:32 UTC 2014
This issue should not be dismissed as out of scope or declared as Won't fix. If OpenStack wants enterprise adoption, this are the issues that will need to be addressed.
As a side note, It doesn't help to have comments such as "acquire the passwords to the database, giving them ALOT of access to that system" in the thread then later dismiss the issue. It is not uncommon for IT auditors to assess risk to a given deployment and to come across this exchange. For someone not familiar with the inner workings of OpenStack - this becomes a major red flag in the audit report.
Personally I would like to see this issue addressed in some fashion
other than plain text.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1158328
Title:
passwords in config files stored in plaintext
Status in OpenStack Compute (Nova):
Won't Fix
Bug description:
The credentials for database conenctions and the keystone authtoken
are stored in plaintext within the nova.conf and apipaste config
files.
These values should be encrypted. A scheme similar to /etc/shadow
would be great.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1158328/+subscriptions
More information about the Openstack-security
mailing list