[Openstack-operators] Gaining access to consoles.
Matt Fischer
matt at mattfischer.com
Tue Aug 11 01:16:43 UTC 2015
On Sun, Aug 9, 2015 at 11:59 PM, Tony Breeds <tony at bakeyournoodle.com>
wrote:
> Hi All,
> Nova has bug: https://bugs.launchpad.net/nova/+bug/1447679 (service
> No-VNC
> (port 6080) doesn't require authentication).
>
> Which explains that if you know the 'token'[1] associated with an instances
> console you can get access to said console without otherwise proving that
> you
> should be allowed access to that instance[3].
>
> Nothing limits the problem to VNC, so all console types are potentially
> affected.
>
> There is a proposed solution (https://review.openstack.org/#/c/182129)
> which
> adds a config option that means a token is only valid for a single usei[4].
> The assertion is that bookmarking a URL to a console and then using it
> multiple
> times is something that we want to still allow albeit discouraged. When
> the
> config value is introduced it will default to False (meaning that the
> bookmarking scenario above will still work). At some stage it'd be ideal
> to
> invert this so that the option is True and operators can switch it if
> appropriate.
>
I'm not excited about making this the default until token revocations don't
impact performance the way that they do now. I don't know how often this
would get exercised though, but the impact of 100+ token revokes is
noticeable on every API call.
>
> I don't think that much of that in controversial, my question is what
> should
> the schedule for switching this be? Assuming we land a fix in Liberty[5],
> make
> the change in Mitaka? Norbert?
>
> Also is being able to bookmark/save the token a thing that users do?
>
> Yours Tony.
>
> [1] How you get that token isn't really the issue, it could be a network or
> browser issue [2]
> [2] I should look at the documentation of how we configure console access
> to
> ensure it's "secure" by default
> [3] Even if the console isn't logged in this is a bad thing(tm)
> [4] There is an outstanding issue with SPICE that is being looked into
> [5] Which isn't a given.
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150810/a98e3612/attachment.html>
More information about the OpenStack-operators
mailing list