Open Stack

On Tue, Oct 3, 2017 at 11:00 PM, Giuseppe de Candia <
giuseppe.decandia at gmail.com> wrote:

> Hi Folks,
>
>
> Are there any documented conventions regarding the security model for
> MetaData?
>
>
> Note that CloudInit allows passing user and ssh service public/private
> keys via MetaData service (or ConfigDrive). One assumes it must be secure,
> but I have not found a security model or documentation.
>
>
> My understanding of the Neutron reference implementation is that MetaData
> requests are HTTP (not HTTPS) and go from the VM to the MetaData proxy on
> the Network Node (after which they are proxied to Nova meta-data API
> server). The path from VM to Network Node using HTTP cannot guarantee
> confidentiality and is also susceptible to Man-in-the-Middle attacks.
>
>
> Some Neutron drivers proxy Metadata requests locally from the node hosting
> the VM that makes the query. I have mostly seen this presented/motivated as
> a way of removing dependency on the Network node, but it should also
> increase security. Yet, I have not seen explicit discussions of the
> security model, nor any attempt to set a standard for security of the
> meta-data.
>
> Finally, there do not seem to be granular controls over what meta-data is
> presented over ConfigDrive (when enabled) vs. meta-data REST API. As an
> example, Nova vendor data is presented over both, if both are enabled;
> config drive is presumably more secure.
>
> thanks,
> Pino
>
>
>
The recommendation is not to use metadata for security sensitive data (its
possible to spoof by setting a X-Forwarded header), please see the
following OpenStack Security Note on the topic:

https://wiki.openstack.org/wiki/OSSN/OSSN-0074
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171004/34e9cf08/attachment.html>