yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1412855] Re: Horizon logs in with unencrypted credentials

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lin Hua Cheng <1412855@xxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Jan 2015 16:29:50 -0000
Reply-to: Bug 1412855 <1412855@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is not a Horizon issue, this is a deployment issue. Perhaps an
opportunity for Fuel installer.

We do already have documented in the security guide that HTTPS should be
used: http://docs.openstack.org/security-guide/content/ch025_web-
dashboard.html

** Also affects: fuel
   Importance: Undecided
       Status: New

** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1412855

Title:
  Horizon logs in with unencrypted credentials

Status in Fuel: OpenStack installer that works:
  New
Status in OpenStack Dashboard (Horizon):
  Invalid

Bug description:
  Horizon logs-in with  unencrypted credentials over HTTP.

  Steps:
  1) Open browser development tools.
  2) Log-in to Horizon
  3) Find POST request with "/horizon/auth/login" path.

  Request details:

  Remote Address:172.16.0.2:80
  Request URL:http://172.16.0.2/horizon/auth/login/
  Request Method:POST
  Status Code:302 FOUND
  Form Data:
  csrfmiddlewaretoken=ulASpgYAsaikVCWsBxH6kFN2MECpaT9Y&region=http%3A%2F%2F192.168.0.1%3A5000%2Fv2.0&username=admin&password=admin

  Actual: security settings are applied on stage of product deployment

  Expected: use HTTPS by default to improve infrastructure security on
  stage of installation and deployment.

  Environment:
  Fuel "build_id": "2014-12-26_14-25-46","release": "6.0"
  Dashboard Version: 2014.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/fuel/+bug/1412855/+subscriptions