[Openstack] Should the OpenStack API re-use the EC2 credentials?

Thierry Carrez thierry at openstack.org
Thu Feb 24 08:49:59 UTC 2011

Justin Santa Barbara wrote:
> Here's an overview of the problem:
> EC2 uses an (api_key, api_secret) pair.  Post-revert, OpenStack uses the
> api_key(!) as the password, but a different value entirely as the
> username: (username, api_key).  The bugfix made it so that both APIs
> used the EC2 credentials (api_key, api_secret) .  This did mean that
> anyone that had saved the 'bad' OpenStack credentials was unable to
> continue to use those credentials.  I also overlooked exporting the
> updated credentials in novarc (though a merge request was pending).
> [...]
> As things stand now, post-revert, this is probably a security flaw,
> because the EC2 API does not treat the api_key as a secret.  The EC2 API
> can (relatively) safely be run over non-SSL, because it uses signatures
> instead of passing the shared secret directly.

That's two different issues. (1) is a consistency vs. ease-of-use issue
(you want both APIs to use the same set of credentials, even if that
means changing from a human-memorable username to a complex api_key).
(2) is a security issue: using the non-secret api_key as the secret
component in OpenStack API.

As far as (1) is concerned, it's a trade-off where there is no obvious
right and wrong solution, so it needs to be openly discussed.

For (2) I think we *need* to move to using something secret rather than
api_key as the "password" in OpenStack API. That's a security issue.

I like how Dragon presented the options on the whiteboard at:

In all cases, changes that will break existing systems, even if they are
badly wanted, should systematically raise a preventive thread on the ML
so that people know it will break (and how to fix it) and others can
propose alternative solutions.

Thierry Carrez (ttx)
Release Manager, OpenStack

More information about the Openstack mailing list