[Openstack] [Openstack-security] API Security

Nathan Kinder nkinder at redhat.com
Tue Apr 29 15:10:01 UTC 2014



On 04/29/2014 08:03 AM, Hao Wang wrote:
> SSL terminator will terminates at the network boundary. I am thinking if
> the crackers can figure out a way to sneak into the internal network and
> capture all the sensitive information still. Is this a concern for a
> private cloud?

Yes, it's definitely still a concern.  If you read the blog post that
Rob mentioned, it's talking about setting up a SSL/TLS terminator on the
same physical system as the API endpoints to prevent traffic from being
sent over the network in the clear.  You might also have SSL/TLS
termination at the network boundary for load-balancing purposes, then a
re-encryption to protect traffic on the internal networks.

-NGK

> 
> 
> On Tue, Apr 29, 2014 at 10:39 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> 
>     Hao Wang wrote:
> 
>         Thanks. It makes sense. The other questions are, would
>         Heartbleed be a
>         potential risk? Which solution is being used in OpenStack SSL?
> 
> 
>     Native SSL services (eventlet) are based on OpenSSL, as is Apache
>     (horizon) so yes, the risk is there if you haven't updated your
>     OpenSSL libraries.
> 
>     The general consensus however is to use SSL terminators rather than
>     enabling SSL in the endpoints directly. You'd need to investigate
>     the SSL library in the terminator you choose, though it would likely
>     be OpenSSL.
> 
>     Check this out as well, https://blog-nkinder.rhcloud.__com/?p=7
>     <https://blog-nkinder.rhcloud.com/?p=7>
> 
>     rob
> 
> 
> 
>         On Tue, Apr 29, 2014 at 10:07 AM, Clark, Robert Graham
>         <robert.clark at hp.com <mailto:robert.clark at hp.com>
>         <mailto:robert.clark at hp.com <mailto:robert.clark at hp.com>>> wrote:
> 
>             This is why any production API servers should all be running
>         TLS/SSL
>             – to protect the confidentiality of messages in flight.____
> 
>             __ __
> 
> 
>             There have been efforts to remove sensitive information from
>         logs,
>             I’m a little surprised that passwords are logged in Neutron.____
> 
>             __ __
> 
>             *From:*Hao Wang [mailto:hao.1.wang at gmail.com
>         <mailto:hao.1.wang at gmail.com>
>             <mailto:hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com>>]
>             *Sent:* 29 April 2014 14:06
>             *To:* openstack-security at lists.__openstack.org
>         <mailto:openstack-security at lists.openstack.org>
>             <mailto:openstack-security at __lists.openstack.org
>         <mailto:openstack-security at lists.openstack.org>>
>             *Cc:* openstack; Aaron Knister
>             *Subject:* Re: [Openstack-security] [Openstack] API Security____
> 
>             __ __
> 
>             Adding security group...____
> 
>             __ __
> 
> 
>             On Sat, Apr 26, 2014 at 4:25 PM, Hao Wang
>         <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com>
>             <mailto:hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com>>>
>         wrote:____
> 
>                 It is the client. I got this message with DEBUG enabled:____
> 
> 
>                 curl -i 'http://192.168.56.103:35357/__v2.0/tokens
>         <http://192.168.56.103:35357/v2.0/tokens>' -X POST -H
>                 "Content-Type: application/json" -H "Accept:
>         application/json"
>                 -H "User-Agent: python-novaclient" -d '{"auth":
>         {"tenantName":
>                 "admin", "passwordCredentials": {"username": "admin",
>                 "password": "admin"}}}'____
> 
>                 __ __
> 
> 
>                 It can be seen that username and password are right in the
>                 message.____
> 
>                 __ __
> 
>                 Hao____
> 
>                 __ __
> 
> 
>                 On Sat, Apr 26, 2014 at 4:08 PM, Aaron Knister
>                 <aaron.knister at gmail.com
>         <mailto:aaron.knister at gmail.com>
>         <mailto:aaron.knister at gmail.__com <mailto:aaron.knister at gmail.com>>>
>                 wrote:____
> 
> 
>                     Was it the client or the server that exposed the
>         credentials?
> 
>                     Sent from my iPhone____
> 
> 
> 
>                     On Apr 26, 2014, at 2:28 PM, Hao Wang
>         <hao.1.wang at gmail.com <mailto:hao.1.wang at gmail.com>
>                     <mailto:hao.1.wang at gmail.com
>         <mailto:hao.1.wang at gmail.com>>> wrote:____
> 
>                         Hi,____
> 
>                         __ __
> 
> 
>                         I am troubleshooting a neutron case. It was just
>         found
>                         that if DEBUG was enabled, neutron would print
>         out JSON
>                         data with username and password. I am wondering what
>                         kind of protocol is used in production
>         environment to
>                         prevent this security risk from happening.____
> 
>                         __ __
> 
>                         Thanks,____
> 
>                         Hao____
> 
> 
>                         _________________________________________________
>                         Mailing list:
>                        
>         http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>                         Post to     : openstack at lists.openstack.org
>         <mailto:openstack at lists.openstack.org>
>                         <mailto:openstack at lists.__openstack.org
>         <mailto:openstack at lists.openstack.org>>
>                         Unsubscribe :
>                        
>         http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack____
>         <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack____>
> 
>                 __ __
> 
>             __ __
> 
> 
> 
> 
>         _________________________________________________
>         Openstack-security mailing list
>         Openstack-security at lists.__openstack.org
>         <mailto:Openstack-security at lists.openstack.org>
>         http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack-security
>         <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security>
> 
> 
> 
> 
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 




More information about the Openstack mailing list