Open Stack

On Nov 13, 2013, at 9:18 AM, Zane Bitter <zbitter at redhat.com>
 wrote:

> On 13/11/13 04:08, Andrew Plunk wrote:
>> Alright.
>> 
>> The problem:
>> ----------------
>> If a program generates a password, and displays it on a screen over and over again, it is more susceptible to being compromised.
> 
> OK, this is something we can work with, thanks :)
> 
>> Possible solutions:
>> ----------------
>> 1).Provide a way to limit the availability of stack outputs returned from heat.
> 
> This is IMHO a bad idea. Amongst other things it will cause chaos with nested stacks in combination with the multi-region feature coming up. It's not even a particularly good solution to the problem - what if the time you needed it was the second, not the first? (Maybe you accidentally clicked away, or maybe a connection dropped the first time.) What if you really need the password again later? What if the first time you viewed it (when it really does show the password) you didn't click away but just left it sitting around visible?
> 
>> 2).Provide a way to express metadata about stack outputs returned from heat.
> 
> This could involve something like a "Sensitive: true" field in the Output schema. Heat would ignore it but pass it on to clients so that something like the dashboard could e.g. require an extra click to show it, and hide it again after a timeout.
> 
> Alternatively, as lifeless points out, you could pass the password in using a hidden input. That's the currently supported way, and I suspect the better one in most cases.

I mostly agree with this suggestion. For symmetry with parameters, we could simply add a key to outputs "hidden: true". For things like stack-list, the default would be to display a masked value like we do for parameters. I think we should then add the ability to retrieve the unmasked values for parameters and outputs.

> 
> cheers,
> Zane.
>> 
>> ________________________________________
>> From: Clint Byrum [clint at fewbar.com]
>> Sent: Tuesday, November 12, 2013 8:46 PM
>> To: openstack
>> Subject: Re: [Openstack] [Heat] Locked Outputs
>> 
>> Excerpts from Andrew Plunk's message of 2013-11-12 17:24:25 -0800:
>>> Thanks for reiterating that Zane. The problem I have is I want to display generated passwords once, and only once in a ui. I want the ability to flag or conditionally display outputs based on conditions.
>>> 
>> 
>> A problem is stated with a cause and an effect "Users may lose control of
>> the UI after the first time outputs are displayed, leading to credential
>> compromise".
>> 
>> Another example: "English encourages use of overloaded terms which
>> can be ambiguous, requiring multiple iterations to communicate ideas
>> effectively."
>> 
>> Solution: "I want to define terms more clearly before using them in
>> sentences."
>> 
>> "I want to ..." is a _solution_.
>> 
>> Maybe we can try one more time?
>> 
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> 
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack