yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1126384] Re: Plain-text quantum credential in nova.conf is a security hole

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Mark McClain <1126384@xxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Feb 2013 19:45:35 -0000
Reply-to: Bug 1126384 <1126384@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Technically this belongs to the Nova project.  I understand the desire
to remove the admin credentials from the configuration file, but I'm not
sure it is possible given the current interactions between Nova/Quantum.
I'm keeping this bug here for the time being so that the Quantum team
can discuss.

** Changed in: quantum
       Status: New => Opinion

** Tags added: nova

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1126384

Title:
  Plain-text quantum credential in nova.conf is a security hole

Status in OpenStack Quantum (virtual network service):
  Opinion

Bug description:
  At present in nova.conf, for nova compute interacts with quantum API,
  it requires to configure quantum credential in plain-text:

  quantum_url = http://<host>:9696
  quantum_admin_tenant_name = service
  quantum_auth_strategy = keystone
  quantum_admin_auth_url = http://<keystone-host>:35357/v2.0
  quantum_admin_password = openstack
  quantum_admin_username = quantum


  What's worse is these credential has the admin role and can access to anything.
  It will be ideal if user authentication token can be used, but not sure how feasible is this from compute node side.

To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1126384/+subscriptions