[Openstack-security] [Bug 1711117] Re: paste_deploy flavor in sample configuration file shows misleading default
Jeremy Stanley
fungi at yuggoth.org
Tue Nov 28 17:51:09 UTC 2017
Apologies, we seem to have overlooked opening this.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
- --
-
The "flavor" option of the "[paste_deploy]" section defaults to "None",
but the sample configuration and documentation [1] suggests that it is
"keystone". This can lead to unsecure deployments without
authentication. The "glance-api.conf" file shows the following:
#
# Deployment flavor to use in the server application pipeline.
#
# Provide a string value representing the appropriate deployment
# flavor used in the server application pipleline. This is typically
# the partial name of a pipeline in the paste configuration file with
# the service name removed.
#
# For example, if your paste section name in the paste configuration
# file is [pipeline:glance-api-keystone], set ``flavor`` to
# ``keystone``.
#
# Possible values:
# * String value representing a partial pipeline name.
#
# Related Options:
# * config_file
#
# (string value)
#flavor = keystone
This is misleading and can lead operators to think that the default
flavor being used is "keystone", but this is not the case:
DEBUG glance.common.config [-] paste_deploy.flavor = None
log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2626
Previously, in Mitaka, the flavor was defined something like this:
# Partial name of a pipeline in your paste configuration file with the
# service name removed. For example, if your paste section name is
# [pipeline:glance-api-keystone] use the value "keystone" (string
# value)
#flavor = <None>
Therefore, somebody upgrading from a previous version would think that
the default is now set to "keystone" instead of "None". In such cases
the operator could remove the "flavor=keystone" definition, assuming
that the default value is correct.
Moreover, the configuration reference states that the default is
"keystone" [1], but this is not the case as the option does not set a
default vale, but a sample default [2]
[1] https://docs.openstack.org/glance/latest/configuration/glance_api.html#paste_deploy
[2] https://github.com/openstack/glance/blob/c4b0fbe632f759b00a1c326c17a05f134e93553d/glance/common/config.py#L33
Taking into account that if the flavor for paste is not set this will
lead to a deployment without authentication.
If the sample default is different from the actual default, this should
be stated clearly in the comment for that option.
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1711117
Title:
paste_deploy flavor in sample configuration file shows misleading
default
Status in Glance:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
The "flavor" option of the "[paste_deploy]" section defaults to
"None", but the sample configuration and documentation [1] suggests
that it is "keystone". This can lead to unsecure deployments without
authentication. The "glance-api.conf" file shows the following:
#
# Deployment flavor to use in the server application pipeline.
#
# Provide a string value representing the appropriate deployment
# flavor used in the server application pipleline. This is typically
# the partial name of a pipeline in the paste configuration file with
# the service name removed.
#
# For example, if your paste section name in the paste configuration
# file is [pipeline:glance-api-keystone], set ``flavor`` to
# ``keystone``.
#
# Possible values:
# * String value representing a partial pipeline name.
#
# Related Options:
# * config_file
#
# (string value)
#flavor = keystone
This is misleading and can lead operators to think that the default
flavor being used is "keystone", but this is not the case:
DEBUG glance.common.config [-] paste_deploy.flavor =
None log_opt_values /usr/lib/python2.7/dist-
packages/oslo_config/cfg.py:2626
Previously, in Mitaka, the flavor was defined something like this:
# Partial name of a pipeline in your paste configuration file with the
# service name removed. For example, if your paste section name is
# [pipeline:glance-api-keystone] use the value "keystone" (string
# value)
#flavor = <None>
Therefore, somebody upgrading from a previous version would think that
the default is now set to "keystone" instead of "None". In such cases
the operator could remove the "flavor=keystone" definition, assuming
that the default value is correct.
Moreover, the configuration reference states that the default is
"keystone" [1], but this is not the case as the option does not set a
default vale, but a sample default [2]
[1] https://docs.openstack.org/glance/latest/configuration/glance_api.html#paste_deploy
[2] https://github.com/openstack/glance/blob/c4b0fbe632f759b00a1c326c17a05f134e93553d/glance/common/config.py#L33
Taking into account that if the flavor for paste is not set this will
lead to a deployment without authentication.
If the sample default is different from the actual default, this
should be stated clearly in the comment for that option.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1711117/+subscriptions
More information about the Openstack-security
mailing list