<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/23/2014 10:24 AM, Tim Bell wrote:<br>
</div>
<blockquote
cite="mid:5D7F9996EA547448BC6C54C8C5AAF4E5D9B56F5E@CERNXCHG41.cern.ch"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:18.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:EN-GB;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Times New Roman","serif";
mso-fareast-language:EN-GB;
font-weight:bold;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.reviewmark
{mso-style-name:review_mark;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">I
think Jose from CERN has been putting in some work on the
clients and the server for Kerberos in this area.
<o:p></o:p></span></p>
</div>
</blockquote>
Yes, I've been working with him on this. Jamie Lennox is working on
the necessary Client mechanisms to make various auth plugins
available from the Unified CLI, etc.<br>
<blockquote
cite="mid:5D7F9996EA547448BC6C54C8C5AAF4E5D9B56F5E@CERNXCHG41.cern.ch"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">There
were some problems with the Kerberos packaging and pre-reqs
along with how to fake a Kerberos server in the test suite
but he was making progress.</span></p>
</div>
</blockquote>
<br>
Kerberos Requests needs an upstream release we can pull in. There
is a change in master not in a released package that we need for
Python33<br>
<br>
<blockquote
cite="mid:5D7F9996EA547448BC6C54C8C5AAF4E5D9B56F5E@CERNXCHG41.cern.ch"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">Is
this on the summit agenda ? It would be good to get it
working since I think it was on my summit talk in Boston.</span></p>
</div>
</blockquote>
<br>
There is a client talk, but not about this specifically. We can
work out details in the Developers lounge, though, and also in the
General client talks.<br>
<br>
<blockquote
cite="mid:5D7F9996EA547448BC6C54C8C5AAF4E5D9B56F5E@CERNXCHG41.cern.ch"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:18.0pt;font-family:"Arial","sans-serif";color:#41454D">Activity
Log<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><img
id="Picture_x0020_4"
src="cid:part1.09090607.06000504@redhat.com"
alt="http://www.gravatar.com/avatar/a1040384?s=64&d=identicon"
height="80" width="80"></span><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><a
moz-do-not-send="true"
href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company="><span
style="color:#D32F1A;text-decoration:none">Jose Castro
Leon</span></a> (<a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN"><span
style="color:#D32F1A;text-decoration:none">CERN</span></a>)<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">08
Apr 2014 07:14:32 in <a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=python-keystoneclient"><span
style="color:#D32F1A;text-decoration:none">python-keystoneclient</span></a><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Review
“Initial kerberos plugin implementation.”<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Submitted
by: <a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company="><span
style="color:#D32F1A;text-decoration:none">Jose Castro
Leon</span></a> (<a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN"><span
style="color:#D32F1A;text-decoration:none">CERN</span></a>)
(#35)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Change
Id: <a moz-do-not-send="true"
href="https://review.openstack.org/74974"><span
style="color:#D32F1A;text-decoration:none">Idf02bf27b5933c00827dd08d11ac131896184ad8</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:green">Code
Review: <b>1</b><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><img
id="Picture_x0020_3"
src="cid:part1.09090607.06000504@redhat.com"
alt="http://www.gravatar.com/avatar/a1040384?s=64&d=identicon"
height="80" border="0" width="80"></span><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><a
moz-do-not-send="true"
href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company="><span
style="color:#D32F1A;text-decoration:none">Jose Castro
Leon</span></a> (<a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN"><span
style="color:#D32F1A;text-decoration:none">CERN</span></a>)<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">02
Apr 2014 14:59:32 in <a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=requirements"><span
style="color:#D32F1A;text-decoration:none">requirements</span></a><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Review
“kerberos requires an additional requests library. Older
versions break in py33”<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Submitted
by: <a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=ayoung&project_type=all&release=all&metric=all&company="><span
style="color:#D32F1A;text-decoration:none">Adam Young</span></a> (<a
moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=Red+Hat"><span
style="color:#D32F1A;text-decoration:none">Red Hat</span></a>)
(#200)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Change
Id: <a moz-do-not-send="true"
href="https://review.openstack.org/84740"><span
style="color:#D32F1A;text-decoration:none">I2100915f123c0fea41d5b17d01947901aa0119c5</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:green">Code
Review: <b>1</b><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><img
id="Picture_x0020_2"
src="cid:part15.06000407.03090804@redhat.com"
alt="http://www.gravatar.com/avatar/a1657571576?s=64&d=identicon"
height="80" border="0" width="80"></span><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><a
moz-do-not-send="true"
href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company="><span
style="color:#D32F1A;text-decoration:none">Jose Castro
Leon</span></a> (<a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN"><span
style="color:#D32F1A;text-decoration:none">CERN</span></a>)<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">20
Feb 2014 09:21:31 in <a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=python-keystoneclient"><span
style="color:#D32F1A;text-decoration:none">python-keystoneclient</span></a><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Patch
“Initial kerberos plugin implementation.”<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Current
Status: ABANDONED<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Change
Id: <a moz-do-not-send="true"
href="https://review.openstack.org/74974"><span
style="color:#D32F1A;text-decoration:none">Idf02bf27b5933c00827dd08d11ac131896184ad8</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><img
id="Picture_x0020_1"
src="cid:part15.06000407.03090804@redhat.com"
alt="http://www.gravatar.com/avatar/a1657571576?s=64&d=identicon"
height="80" border="0" width="80"></span><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D"><a
moz-do-not-send="true"
href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company="><span
style="color:#D32F1A;text-decoration:none">Jose Castro
Leon</span></a> (<a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN"><span
style="color:#D32F1A;text-decoration:none">CERN</span></a>)<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">18
Feb 2014 10:19:23 in <a moz-do-not-send="true"
href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=keystone"><span
style="color:#D32F1A;text-decoration:none">keystone</span></a><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Patch
“Initial kerberos plugin implementation.”<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Current
Status: ABANDONED<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D">Change
Id: <a moz-do-not-send="true"
href="https://review.openstack.org/74317"><span
style="color:#D32F1A;text-decoration:none">I2fad67c3613c273187f6ca32985d360352c81bf8</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> Nathanael Burton
[<a class="moz-txt-link-freetext" href="mailto:nathanael.i.burton.work@gmail.com">mailto:nathanael.i.burton.work@gmail.com</a>]
<br>
<b>Sent:</b> 23 April 2014 14:42<br>
<b>To:</b> Adam Young<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openstack-security@lists.openstack.org">openstack-security@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack-security] Credentials in
clear text<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p>We have to configure the Apache layer to set the component we
want as the REMOTE_USER, but other than that I believe that's
pretty much all it takes on the Keystone side. Changes were
necessary to some of the Python clients and service code,
mainly to get them to pass certificates along. Not all these
changes have been proposed upstream yet, although we plan to.<o:p></o:p></p>
<p>Thanks,<o:p></o:p></p>
<p>Nate<o:p></o:p></p>
<div>
<p class="MsoNormal">On Apr 23, 2014 8:33 AM, "Adam Young"
<<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal">On 04/23/2014 08:29 AM, Nathanael
Burton wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>We do this today with X509 certificates using the
external auth plugin for Keystone. Services and users
auth directly with X509 certificates to get tokens.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Have you modified it at all? I have yet to try, but I
though with mod_ssl and external, REMOTE_USER was not
set. It was my understanding that the following vars
were set in its place:<br>
<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/page/Environment_Variables#X.509_Authentication"
target="_blank">http://www.freeipa.org/page/Environment_Variables#X.509_Authentication</a><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Nate<o:p></o:p></p>
<div>
<p class="MsoNormal">On Apr 23, 2014 12:23 AM, "Adam
Young" <<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal">On 04/22/2014 11:29 AM,
Clark, Robert Graham wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">As
Bryan mentioned already, a user with
access to production systems, particularly
one with sudo/root access – is in an
incredibly privileged position. On its own
this is an auditing issue but it’s a
recognised one. In most deployments
subject to auditing (i.e. production) it’s
likely that compensating controls such as
gated access, user logging, MAC etc. are
all in place to control the risk.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It’s
a messy problem to deal with. I’ve seen
approaches where the process and
configuration file are both owned by an
elevated user, once the process has loaded
the configuration file it drops privs and
can no longer read the file, this can be
useful as a mechanism for avoiding
directory traversal in web services etc
I’m not sure how viable an approach this
would be with something like Swift.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Rob</span><o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
I'd like to see a concerted effort to allowing
all servcie to get keystone tokens with either
Kerberos (keytabs) or X509 Client certificates.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> Bryan D. Payne [<a
moz-do-not-send="true"
href="mailto:bdpayne@acm.org"
target="_blank">mailto:bdpayne@acm.org</a>]
<br>
<b>Sent:</b> 22 April 2014 01:16<br>
<b>To:</b> Adam Lawson<br>
<b>Cc:</b> <a
moz-do-not-send="true"
href="mailto:openstack-security@lists.openstack.org"
target="_blank">
openstack-security@lists.openstack.org</a><br>
<b>Subject:</b> Re:
[Openstack-security] Credentials in
clear text</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This
is fair. I'm not personally familiar
with Swift, so I will let others chime
in on that.<o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">-bryan<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
Mon, Apr 21, 2014 at 4:47 PM, Adam
Lawson <<a moz-do-not-send="true"
href="mailto:alawson@aqorn.com"
target="_blank">alawson@aqorn.com</a>>
wrote:<o:p></o:p></p>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Preventing
access to passwords for the
purpose of preventing unauthorized
access to data as another way I
look at it.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br
clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><i><span
style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a
moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";border:solid
windowtext
1.0pt;padding:0cm"><img
id="_x0000_i1025"
src="cid:part32.09050705.02030103@redhat.com"
alt="Image removed by
sender.
http://www.aqorn.com/images/logo.png"
height="49" border="0"
width="120"></span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
Mon, Apr 21, 2014 at 4:46
PM, Adam Lawson <<a
moz-do-not-send="true"
href="mailto:alawson@aqorn.com"
target="_blank">alawson@aqorn.com</a>>
wrote:<o:p></o:p></p>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm
0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">My
initial concern is
specific to Swift and
gaining global access to
all data by virtue of
having access to a
single proxy node. It
seems more than access
to system resources but
a flaw in how data is
controlled (and
passwords are
controlled).<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br
clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><i><span
style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><o:p></o:p></p>
</div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall
Street</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware
19801-2230</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844)
4-AQORN-NOW</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a
moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";border:solid
windowtext
1.0pt;padding:0cm"><img
id="_x0000_i1026" src="cid:part32.09050705.02030103@redhat.com"
alt="Image
removed by
sender.
http://www.aqorn.com/images/logo.png"
height="49"
border="0"
width="120"></span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Mon, Apr
21, 2014 at 4:41
PM, Bryan D. Payne
<<a
moz-do-not-send="true"
href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>>
wrote:<o:p></o:p></p>
<blockquote
style="border:none;border-left:solid
#CCCCCC
1.0pt;padding:0cm
0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This would be
a nice
hardening
step, but if
you have sudo
on the box
there's a lot
of things you
can do see.
This is just
the tip of the
iceberg. For
example,
access to the
backend db?
Access to
traffic on the
network / unix
sockets / etc?
Access to
logs.<o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I am not
aware of any
current
efforts to
mask this
information
from the
config files.
But that
doesn't mean
it's not
happening. If
someone is
aware of such
an effort, I'd
certainly be
interested in
learning more
about it.<o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Cheers,<o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">-bryan<o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Mon, Apr
21, 2014 at
4:26 PM, Adam
Lawson <<a
moz-do-not-send="true" href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:<o:p></o:p></p>
</div>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC
1.0pt;padding:0cm
0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Have .conf
files
containing
credentials
and tokens
been addressed
or being
addressed?
Seems there
are a lot of
keys to the
kingdom
clearly
visible to
staff who have
access to
systems for
day-to-day
admin work but
don't/shouldn't
be able to
view them. If
they have sudo
access, they
have
everything
they need to
get where they
don't belong.
Really strikes
me as an
obvious audit
issue...<o:p></o:p></p>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#888888"><br
clear="all">
</span><o:p></o:p></p>
<div>
<div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><i><span
style="font-family:"Arial","sans-serif";color:#888888"><br>
Adam Lawson</span></i></b><o:p></o:p></p>
</div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall
Street</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware
19801-2230</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844)
4-AQORN-NOW</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a
moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-family:"Arial","sans-serif";color:#888888;border:solid
windowtext
1.0pt;padding:0cm"><img
id="_x0000_i1027" src="cid:part32.09050705.02030103@redhat.com"
alt="Image
removed by
sender.
http://www.aqorn.com/images/logo.png"
height="49"
border="0"
width="120"></span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt">_______________________________________________<br>
Openstack-security
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p>
</blockquote>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><o:p> </o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Openstack-security mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org"
target="_blank">Openstack-security@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>