openstack team mailing list archive

[Justin Santa Barbara <justin@xxxxxxxxxxxx>]

The issue is that _if_ you're also running the EC2 API over non-SSL (which
is supposed to be safe - other than for replay attacks?), then you send the
api_key in the clear (the api_secret remains secret because it's only
'passed' via the one-way-hashed signature.)  However, api_key is currently
the OpenStack 'secret'/'password' (!).  So although we're not exposing the
EC2 api_secret, using the EC2 API could expose a rather important piece of
information for the OpenStack API.

I don't think it's a critical vulnerability (hence it's in public channels),
but I believe it needs to be fixed.

Irrespective of the vulnerability, I think we should still have one set of
user credentials.

Justin


On Wed, Feb 23, 2011 at 7:51 PM, Chuck Thier <cthier@xxxxxxxxx> wrote:

>
>> However, I think we want the same credentials for users ('username' &
>> 'password'), irrespective of the API (or auth protocol) they're using.  I
>> think the weird terminology is what got us into the odd situation in which
>> we now find ourselves where there are two sets of credentials (and one set
>> exposes the secret of the other set!)
>>
>>
> The exposing of the secret is not true, they are just named differently.
>  Lets pretend you want to generalize the naming of everything via the EC2
> api (api_key, api_secret).  If you switch to using OpenStack auth, then you
> would send the api_key as the username, and the api_secret as the api_key.
> There is no exposure of the secret key.
>
> --
> Chuck
>