[Openstack] [Heat] Locked Outputs

Steven Hardy shardy at redhat.com
Tue Nov 12 11:06:41 UTC 2013


On Thu, Nov 07, 2013 at 05:07:16PM +0000, Andrew Plunk wrote:
> The problem I am trying to solve here is not to secure an output, but to provide the ability to only display an output to an end user one time.

I still think we need more info regarding the actual use-case, this sounds
like you're trying to build a UI-ish access pattern into Heat at the API
level?

> >So it seems that the problem you are seeking to solve is limiting access
> >to sensitive outputs. The solution mentioned above certainly narrows
> >the attack surface, but it suffers from a DOS race condition where a
> >bad actor can lock you out of your own resource.
> 
> Also, if an attacker is able to authenticate as your account, you have much bigger problems than them locking you out of an output.

Exactly, if a user can authenticate with Heat, and has sufficient
privileges, why wouldn't they be able to access the outputs of the stack,
sensitive or otherwise?

The whole idea that limiting providing the output value to the
(authenticated) user only once improves security seems bogus to me - I
mean, if I give you my credit card details, you have them, doesn't matter
if I tell you them 1 or 100 times ;)

Steve




More information about the Openstack mailing list