<div>Now that I have looked at the nova auth code, I see what you are getting at, and doesn't work as I would have expected it to. Essentially both auth systems work the same, but the terminology is different. As is, the easiest thing to do would be to change _authorize_user in nova/api/openstack/auth.py to translate username to key from the auth system, and key to the secret key in the auth system. That said, a better solution might be to abstract the terms in the code by using something like (identity, secret) so that with the EC2 api, identity would represent the api_key and the secret would represent api_secret, and in the OS api, identity would represent user, and secret would represent api_key.</div>
<div><br></div><div>--</div><div>Chuck<br><br><div class="gmail_quote">On Wed, Feb 23, 2011 at 10:19 PM, Justin Santa Barbara <span dir="ltr"><<a href="mailto:justin@fathomdb.com">justin@fathomdb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">The issue is that _if_ you're also running the EC2 API over non-SSL (which is supposed to be safe - other than for replay attacks?), then you send the api_key in the clear (the api_secret remains secret because it's only 'passed' via the one-way-hashed signature.) However, api_key is currently the OpenStack 'secret'/'password' (!). So although we're not exposing the EC2 api_secret, using the EC2 API could expose a rather important piece of information for the OpenStack API.<div>
<br>I don't think it's a critical vulnerability (hence it's in public channels), but I believe it needs to be fixed.</div><div><br></div><div>Irrespective of the vulnerability, I think we should still have one set of user credentials.</div>
<div><br></div><div><font color="#888888">Justin</font><div><div></div><div class="h5"><br>
<br><br><div class="gmail_quote">On Wed, Feb 23, 2011 at 7:51 PM, Chuck Thier <span dir="ltr"><<a href="mailto:cthier@gmail.com" target="_blank">cthier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span style="border-collapse:collapse;font-family:arial, sans-serif;font-size:13px"><div>
<br></div>
<div>However, I think we want the same credentials for users ('username' & 'password'), irrespective of the API (or auth protocol) they're using. I think the weird terminology is what got us into the odd situation in which we now find ourselves where there are two sets of credentials (and one set exposes the secret of the other set!)</div>
<div><br></div></span></blockquote><div><br></div></div><div>The exposing of the secret is not true, they are just named differently. Lets pretend you want to generalize the naming of everything via the EC2 api (api_key, api_secret). If you switch to using OpenStack auth, then you would send the api_key as the username, and the api_secret as the api_key. There is no exposure of the secret key.</div>
<div><br></div><div>--</div><div>Chuck</div></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br></div>