[openstack-dev] [fuel][plugins]Security problem in Fuel 7.0
Javeria Khan
javeriak at plumgrid.com
Mon Dec 7 16:52:52 UTC 2015
My two cents. It would be useful to have a role that could execute on the
Fuel Master host itself rather than a container.
--
Javeria
On Dec 7, 2015 9:49 PM, "Roman Prykhodchenko" <me at romcheg.me> wrote:
> Alexey,
>
> thank you for bringing this up. IMO discussing security problems is better
> to be done in a special kind of Launchpad bugs.
>
> - romcheg
>
>
> > 7 груд. 2015 р. о 17:36 Alexey Elagin <aelagin at mirantis.com>
> написав(ла):
> >
> > Hello all,
> >
> > We have a security problem in Fuel 7.0. It's related to plugin
> > development and allows to execute code in mcollective docker container
> > on Fuel master node. Any fuel plugin may contains a yaml file with
> > deployment tasks (tasks.yaml, deployment_tasks.yaml etc) and there is
> > an ability to run some code on node with role "master". It's also
> > possible to connect to any target node via ssh without a password from
> > within the container.
> >
> > As i understood, it was made to simplify some deployment cases. I see
> > some steps for resolving this situation:
> > 1. Fuel team should disallow
> > execution of any puppet manifests or bash code on nodes with master
> > role.
> > 2. Append the Fuel documentation. Notify users about this
> > security issue.
> >
> > What do you think about it? What deployment cases which require
> > execution of code on role "master" do you know?
> >
> > --
> > Best regards,
> > Alexey
> > Deployment Engineer
> > Mirantis, Inc
> > Cell: +7 (968) 880 2288
> > Skype: shikelbober
> > Slack: aelagin
> > mailto:aelagin at mirantis.com
> >
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151207/2a488a22/attachment.html>
More information about the OpenStack-dev
mailing list