openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #18118
Re: Handling of adminPass is arguably broken (essex)
On 11/1/12 9:36 AM, "Lars Kellogg-Stedman" <lars@xxxxxxxxxxxxxxxx> wrote:
>> Honestly I think the entire idea of passing a password in to the
>>instance at boot
>> time is insecure and flawed.
>
>I think that the use of a configuration drive is a reasonably way to
>provide configuration information to an instance, and it's more secure
>than the metadata server.
>
>In any case, the problem extends beyond passwords; the way injected
>network configuration and ssh keys are handled also make unreasonable
>assumptions about the target operating system and suffer from the same
>problems as password provisioning.
>
>I've put together a patch that solves my needs, available here:
>
> https://github.com/seas-computing/nova/commits/lars/admin_pass
>
>That branch incorporates also changes from the EPEL packages for
>2012.1.3 (since this is what we're running).
>
>It seems to work so far, although now we're facing a new problem: the
>adminPass generated by OpenStack is provided to people running the
>"nova boot ..." command line clients but (a) isn't exposed in the web
>ui and (b) doesn't appear to be otherwise accessible (e.g., via
>euca-describe-password).
Hey Lars,
(a) sounds like a bug in Horizon if that's not viewable immediately after
creating the instance. If we can confirm that is the case and file a bug,
that'd be good. It just comes back via the API so it should be available
to any client.
(b) is definitely not going to work - we don't store the password at all,
an intentional decision.
Gabe
>
>--
>Lars Kellogg-Stedman <lars@xxxxxxxxxxxxxxxx> |
>Senior Technologist |
>http://ac.seas.harvard.edu/
>Academic Computing |
>http://code.seas.harvard.edu/
>Harvard School of Engineering |
> and Applied Sciences |
>
>
>_______________________________________________
>Mailing list: https://launchpad.net/~openstack
>Post to : openstack@xxxxxxxxxxxxxxxxxxx
>Unsubscribe : https://launchpad.net/~openstack
>More help : https://help.launchpad.net/ListHelp
Follow ups
References