Open Stack

On 13/11/13 04:08, Andrew Plunk wrote:
> Alright.
>
> The problem:
> ----------------
> If a program generates a password, and displays it on a screen over and over again, it is more susceptible to being compromised.

OK, this is something we can work with, thanks :)

> Possible solutions:
> ----------------
> 1).Provide a way to limit the availability of stack outputs returned from heat.

This is IMHO a bad idea. Amongst other things it will cause chaos with 
nested stacks in combination with the multi-region feature coming up. 
It's not even a particularly good solution to the problem - what if the 
time you needed it was the second, not the first? (Maybe you 
accidentally clicked away, or maybe a connection dropped the first 
time.) What if you really need the password again later? What if the 
first time you viewed it (when it really does show the password) you 
didn't click away but just left it sitting around visible?

> 2).Provide a way to express metadata about stack outputs returned from heat.

This could involve something like a "Sensitive: true" field in the 
Output schema. Heat would ignore it but pass it on to clients so that 
something like the dashboard could e.g. require an extra click to show 
it, and hide it again after a timeout.

Alternatively, as lifeless points out, you could pass the password in 
using a hidden input. That's the currently supported way, and I suspect 
the better one in most cases.

cheers,
Zane.
>
> ________________________________________
> From: Clint Byrum [clint at fewbar.com]
> Sent: Tuesday, November 12, 2013 8:46 PM
> To: openstack
> Subject: Re: [Openstack] [Heat] Locked Outputs
>
> Excerpts from Andrew Plunk's message of 2013-11-12 17:24:25 -0800:
>> Thanks for reiterating that Zane. The problem I have is I want to display generated passwords once, and only once in a ui. I want the ability to flag or conditionally display outputs based on conditions.
>>
>
> A problem is stated with a cause and an effect "Users may lose control of
> the UI after the first time outputs are displayed, leading to credential
> compromise".
>
> Another example: "English encourages use of overloaded terms which
> can be ambiguous, requiring multiple iterations to communicate ideas
> effectively."
>
> Solution: "I want to define terms more clearly before using them in
> sentences."
>
> "I want to ..." is a _solution_.
>
> Maybe we can try one more time?
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>