← Back to team overview

openstack team mailing list archive

Re: Should the OpenStack API re-use the EC2 credentials?


Now that I have looked at the nova auth code, I see what you are getting at,
and doesn't work as I would have expected it to.  Essentially both auth
systems work the same, but the terminology is different.  As is, the easiest
thing to do would be to change _authorize_user in nova/api/openstack/auth.py
to translate username to key from the auth system, and key to the secret key
in the auth system.  That said, a better solution might be to abstract the
terms in the code by using something like (identity, secret) so that with
the EC2 api, identity would represent the api_key and the secret would
represent api_secret, and in the OS api,  identity would represent user, and
secret would represent api_key.


On Wed, Feb 23, 2011 at 10:19 PM, Justin Santa Barbara

> The issue is that _if_ you're also running the EC2 API over non-SSL (which
> is supposed to be safe - other than for replay attacks?), then you send the
> api_key in the clear (the api_secret remains secret because it's only
> 'passed' via the one-way-hashed signature.)  However, api_key is currently
> the OpenStack 'secret'/'password' (!).  So although we're not exposing the
> EC2 api_secret, using the EC2 API could expose a rather important piece of
> information for the OpenStack API.
> I don't think it's a critical vulnerability (hence it's in public
> channels), but I believe it needs to be fixed.
> Irrespective of the vulnerability, I think we should still have one set of
> user credentials.
> Justin
> On Wed, Feb 23, 2011 at 7:51 PM, Chuck Thier <cthier@xxxxxxxxx> wrote:
>>> However, I think we want the same credentials for users ('username' &
>>> 'password'), irrespective of the API (or auth protocol) they're using.  I
>>> think the weird terminology is what got us into the odd situation in which
>>> we now find ourselves where there are two sets of credentials (and one set
>>> exposes the secret of the other set!)
>> The exposing of the secret is not true, they are just named differently.
>>  Lets pretend you want to generalize the naming of everything via the EC2
>> api (api_key, api_secret).  If you switch to using OpenStack auth, then you
>> would send the api_key as the username, and the api_secret as the api_key.
>> There is no exposure of the secret key.
>> --
>> Chuck