[Openstack] [Heat] Locked Outputs

Steven Dake sdake at redhat.com
Wed Nov 13 16:00:56 UTC 2013


On 11/12/2013 08:08 PM, Andrew Plunk wrote:
> Alright.
>
> The problem:
> ----------------
> If a program generates a password, and displays it on a screen over and over again, it is more susceptible to being compromised.
I don't buy the problem.  Using an anaology, the first time the 
information is shared, it becomes public.  It can then be assumed that 
once information is shared the *first* time, anyone that cares about 
that information now knows it.

Passwords work the same way - if a user sees the password once, they 
could write it down, give it to their friends, post it on twitter, etc.  
The fact that it is exposed via the GUI multiple times isn't any more 
dangerous then these other scenarios.

Further argument is if you don't trust your users with the password, 
don't put in the outputs section.  I don't quite get how this would 
enhance security though, because if they have the OpenStack credentials, 
theoretically they could access the VM and obtain the password whether 
you like it or not.  Further, they stack-create'ed the vm so ideally 
they would have responsibility for the security of the stack.

Regards
-steve


> Possible solutions:
> ----------------
> 1).Provide a way to limit the availability of stack outputs returned from heat.
> 2).Provide a way to express metadata about stack outputs returned from heat.
>
> ________________________________________
> From: Clint Byrum [clint at fewbar.com]
> Sent: Tuesday, November 12, 2013 8:46 PM
> To: openstack
> Subject: Re: [Openstack] [Heat] Locked Outputs
>
> Excerpts from Andrew Plunk's message of 2013-11-12 17:24:25 -0800:
>> Thanks for reiterating that Zane. The problem I have is I want to display generated passwords once, and only once in a ui. I want the ability to flag or conditionally display outputs based on conditions.
>>
> A problem is stated with a cause and an effect "Users may lose control of
> the UI after the first time outputs are displayed, leading to credential
> compromise".
>
> Another example: "English encourages use of overloaded terms which
> can be ambiguous, requiring multiple iterations to communicate ideas
> effectively."
>
> Solution: "I want to define terms more clearly before using them in
> sentences."
>
> "I want to ..." is a _solution_.
>
> Maybe we can try one more time?
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





More information about the Openstack mailing list