openstack team mailing list archive

Thread
Date

Re: Should the OpenStack API re-use the EC2 credentials?

To: Justin Santa Barbara <justin@xxxxxxxxxxxx>
From: Chuck Thier <cthier@xxxxxxxxx>
Date: Wed, 23 Feb 2011 22:40:58 -0600
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <AANLkTimj4Xz9ZBshMo8OCLPLW6W6hh5m6j0OT47Hsgbq@mail.gmail.com>

Now that I have looked at the nova auth code, I see what you are getting at,
and doesn't work as I would have expected it to.  Essentially both auth
systems work the same, but the terminology is different.  As is, the easiest
thing to do would be to change _authorize_user in nova/api/openstack/auth.py
to translate username to key from the auth system, and key to the secret key
in the auth system.  That said, a better solution might be to abstract the
terms in the code by using something like (identity, secret) so that with
the EC2 api, identity would represent the api_key and the secret would
represent api_secret, and in the OS api,  identity would represent user, and
secret would represent api_key.

--
Chuck

On Wed, Feb 23, 2011 at 10:19 PM, Justin Santa Barbara
<justin@xxxxxxxxxxxx>wrote:

> The issue is that _if_ you're also running the EC2 API over non-SSL (which
> is supposed to be safe - other than for replay attacks?), then you send the
> api_key in the clear (the api_secret remains secret because it's only
> 'passed' via the one-way-hashed signature.)  However, api_key is currently
> the OpenStack 'secret'/'password' (!).  So although we're not exposing the
> EC2 api_secret, using the EC2 API could expose a rather important piece of
> information for the OpenStack API.
>
> I don't think it's a critical vulnerability (hence it's in public
> channels), but I believe it needs to be fixed.
>
> Irrespective of the vulnerability, I think we should still have one set of
> user credentials.
>
> Justin
>
>
>
> On Wed, Feb 23, 2011 at 7:51 PM, Chuck Thier <cthier@xxxxxxxxx> wrote:
>
>>
>>> However, I think we want the same credentials for users ('username' &
>>> 'password'), irrespective of the API (or auth protocol) they're using.  I
>>> think the weird terminology is what got us into the odd situation in which
>>> we now find ourselves where there are two sets of credentials (and one set
>>> exposes the secret of the other set!)
>>>
>>>
>> The exposing of the secret is not true, they are just named differently.
>>  Lets pretend you want to generalize the naming of everything via the EC2
>> api (api_key, api_secret).  If you switch to using OpenStack auth, then you
>> would send the api_key as the username, and the api_secret as the api_key.
>> There is no exposure of the secret key.
>>
>> --
>> Chuck
>>
>
>

References

Should the OpenStack API re-use the EC2 credentials?
From: Justin Santa Barbara, 2011-02-24
Re: Should the OpenStack API re-use the EC2 credentials?
From: Chuck Thier, 2011-02-24
Re: Should the OpenStack API re-use the EC2 credentials?
From: Justin Santa Barbara, 2011-02-24
Re: Should the OpenStack API re-use the EC2 credentials?
From: Chuck Thier, 2011-02-24
Re: Should the OpenStack API re-use the EC2 credentials?
From: Justin Santa Barbara, 2011-02-24