<p dir="ltr">We have to configure the Apache layer to set the component we want as the REMOTE_USER, but other than that I believe that's pretty much all it takes on the Keystone side. Changes were necessary to some of the Python clients and service code, mainly to get them to pass certificates along. Not all these changes have been proposed upstream yet, although we plan to.</p>
<p dir="ltr">Thanks,</p>
<p dir="ltr">Nate</p>
<div class="gmail_quote">On Apr 23, 2014 8:33 AM, "Adam Young" <<a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 04/23/2014 08:29 AM, Nathanael
Burton wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">We do this today with X509 certificates using the
external auth plugin for Keystone. Services and users auth
directly with X509 certificates to get tokens.</p>
</blockquote>
<br>
Have you modified it at all? I have yet to try, but I though with
mod_ssl and external, REMOTE_USER was not set. It was my
understanding that the following vars were set in its place:<br>
<br>
<a href="http://www.freeipa.org/page/Environment_Variables#X.509_Authentication" target="_blank">http://www.freeipa.org/page/Environment_Variables#X.509_Authentication</a><br>
<br>
<blockquote type="cite">
<p dir="ltr">Nate</p>
<div class="gmail_quote">On Apr 23, 2014 12:23 AM, "Adam Young"
<<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 04/22/2014 11:29 AM, Clark, Robert Graham wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As
Bryan mentioned already, a user with access to
production systems, particularly one with sudo/root
access – is in an incredibly privileged position. On
its own this is an auditing issue but it’s a
recognised one. In most deployments subject to
auditing (i.e. production) it’s likely that
compensating controls such as gated access, user
logging, MAC etc. are all in place to control the
risk.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It’s
a messy problem to deal with. I’ve seen approaches
where the process and configuration file are both
owned by an elevated user, once the process has
loaded the configuration file it drops privs and can
no longer read the file, this can be useful as a
mechanism for avoiding directory traversal in web
services etc I’m not sure how viable an approach
this would be with something like Swift.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Rob</span></p>
</div>
</blockquote>
<br>
I'd like to see a concerted effort to allowing all servcie
to get keystone tokens with either Kerberos (keytabs) or
X509 Client certificates.<br>
<br>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" lang="EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" lang="EN-US"> Bryan D. Payne [<a href="mailto:bdpayne@acm.org" target="_blank">mailto:bdpayne@acm.org</a>]
<br>
<b>Sent:</b> 22 April 2014 01:16<br>
<b>To:</b> Adam Lawson<br>
<b>Cc:</b> <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack-security]
Credentials in clear text</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">This is fair. I'm not
personally familiar with Swift, so I will let
others chime in on that.</p>
<div>
<p class="MsoNormal">-bryan</p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> </p>
<div>
<p class="MsoNormal">On Mon, Apr 21, 2014 at 4:47
PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:</p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Preventing access to
passwords for the purpose of preventing
unauthorized access to data as another way I
look at it.</p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
</p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span style="font-family:"Arial","sans-serif""></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span style="font-family:"Arial","sans-serif";color:#666666"></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><img src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png" height="49" border="0" width="120"></span><span style="font-family:"Arial","sans-serif""></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> </p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon, Apr 21,
2014 at 4:46 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:</p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">My initial
concern is specific to Swift and
gaining global access to all data
by virtue of having access to a
single proxy node. It seems more
than access to system resources
but a flaw in how data is
controlled (and passwords are
controlled).</p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
</p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span style="font-family:"Arial","sans-serif""></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span style="font-family:"Arial","sans-serif";color:#666666"></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><img src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png" height="49" border="0" width="120"></span><span style="font-family:"Arial","sans-serif""></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> </p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon,
Apr 21, 2014 at 4:41 PM,
Bryan D. Payne <<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>>
wrote:</p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">This
would be a nice
hardening step, but if
you have sudo on the box
there's a lot of things
you can do see. This is
just the tip of the
iceberg. For example,
access to the backend
db? Access to traffic
on the network / unix
sockets / etc? Access
to logs.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I
am not aware of any
current efforts to
mask this information
from the config files.
But that doesn't mean
it's not happening.
If someone is aware
of such an effort, I'd
certainly be
interested in learning
more about it.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Cheers,</p>
</div>
<div>
<p class="MsoNormal">-bryan</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> </p>
<div>
<div>
<div>
<p class="MsoNormal">On
Mon, Apr 21, 2014
at 4:26 PM, Adam
Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:</p>
</div>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">Have
.conf files
containing
credentials
and tokens
been addressed
or being
addressed?
Seems there
are a lot of
keys to the
kingdom
clearly
visible to
staff who have
access to
systems for
day-to-day
admin work but
don't/shouldn't
be able to
view them. If
they have sudo
access, they
have
everything
they need to
get where they
don't belong.
Really strikes
me as an
obvious audit
issue...<span style="color:#888888"></span></p>
<div>
<div>
<p class="MsoNormal"><span style="color:#888888"><br clear="all">
</span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span style="font-family:"Arial","sans-serif";color:#888888"><br>
Adam Lawson</span></i></b><span style="font-family:"Arial","sans-serif";color:#888888"></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall
Street</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware
19801-2230</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844)
4-AQORN-NOW</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span style="font-family:"Arial","sans-serif";color:#666666"></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#888888"><img src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png" height="49" border="0" width="120"></span><span style="font-family:"Arial","sans-serif";color:#888888"></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>
Openstack-security
mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a></p>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openstack-security mailing list
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>