[openstack-dev] [Heat] [Nova] [oslo] [Ceilometer] about notifications : huge and may be non secure

Swann Croiset swannon at gmail.com
Wed Jan 29 15:50:36 UTC 2014


Hi stackers,

I would like to share my wonder here about Notifications.

I'm working [1] on Heat notifications and I noticed that :
1/ Heat uses his context to store 'password'
2/ Heat and Nova store 'auth_token' in context too. Didn't check for other
projects except for neutron which doesn't store auth_token

These infos are consequently sent thru their notifications.

I guess we consider the broker as securised and network communications with
services too BUT
should not we delete these data anyway since IIRC they are never in use (at
least by ceilometer) and by the way
throwing it away the security question ?

My other concern is the size (Kb) of notifications : 70% for auth_token
(with pki) !
We can reduce the volume drastically and easily by deleting these data from
notifications.
I know that RabbitMQ (or others) is very robust and can handle this volume
but when I see this kind of improvements, I'am tempted to do it.

I see an easy way to fix that in oslo-incubator [2] :
delete keys of context if existing, config driven with "password" and
"auth_token" by default

thoughts?

[1]
https://blueprints.launchpad.net/ceilometer/+spec/handle-heat-notifications
[2]
https://github.com/openstack/oslo-incubator/blob/master/openstack/common/notifier/rpc_notifier.py
and others
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140129/88facbcb/attachment.html>


More information about the OpenStack-dev mailing list