yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40957
[Bug 1514768] [NEW] LBaaS v2 - Barbican TLS containers consuming misuse
Public bug reported:
LBaaS v2 plugin is using barbican TLS containers and locally stored certificates for TLS termination on listeners.
There are several issues with current implementation of this functionality.
When Barbican Certificate Manager is used:
LBaaS plugin is in charge of registering resource consumer and removing resource consumer in barbican.
This is not a right approach in general, since only provider's successfully applied operation on back-end system means
real certificate consuming.
In case when provider's driver failed to apply TLS settings on backend system, certificate consumer registration
should not take place. With the current implementation, consumer will not be removed from barbican which is a problem.
The plugin should only retrieve certificate for validation without registering resource consumer.
Provider's driver should:
a) Register certificate consumer when certificate is used in back-end LB system.
b) Remove certificate consumer when certificate is not used in back-end LB system anymore.
When Local Certificate Manager is used:
In current implementation, certificates that did not pass validation are removed. Actually removed from file system.
IMO, it's not a good practice to remove tenant's certificate files from a file system, even if certificate is invalid.
Proposal for fixing those:
1. Rename Certificate Manager API functions. There should be:
get_cert - getting the certificate info without registering resource consumer. Plugin and provider's driver will use this
for getting certificate data for validation or usage on back-end system.
register_cert_consumer - Registering consumer in barbican. Provider's driver will use this to register resource consumer
after successful certificate appliance on a back-end system.
unregister_cert_consumer - Removing consumer in barbican. Provider's driver will use this to remove resource consumer
for certificate(s) that are not used in back-end system any more.
2. Local Certificate Manager should not delete certificate files from file system in case when certificate is invalid.
get_cert - getting certificate data from certificate files. Plugin and provider's driver will use this
for getting certificate data for validation or usage on back-end system.
register_cert_consumer and unregister_cert_consumer functions will do nothing since no resource consumer
registration/removal is needed.
** Affects: neutron
Importance: Undecided
Assignee: Evgeny Fedoruk (evgenyf)
Status: New
** Tags: lbaas
** Changed in: neutron
Assignee: (unassigned) => Evgeny Fedoruk (evgenyf)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1514768
Title:
LBaaS v2 - Barbican TLS containers consuming misuse
Status in neutron:
New
Bug description:
LBaaS v2 plugin is using barbican TLS containers and locally stored certificates for TLS termination on listeners.
There are several issues with current implementation of this functionality.
When Barbican Certificate Manager is used:
LBaaS plugin is in charge of registering resource consumer and removing resource consumer in barbican.
This is not a right approach in general, since only provider's successfully applied operation on back-end system means
real certificate consuming.
In case when provider's driver failed to apply TLS settings on backend system, certificate consumer registration
should not take place. With the current implementation, consumer will not be removed from barbican which is a problem.
The plugin should only retrieve certificate for validation without registering resource consumer.
Provider's driver should:
a) Register certificate consumer when certificate is used in back-end LB system.
b) Remove certificate consumer when certificate is not used in back-end LB system anymore.
When Local Certificate Manager is used:
In current implementation, certificates that did not pass validation are removed. Actually removed from file system.
IMO, it's not a good practice to remove tenant's certificate files from a file system, even if certificate is invalid.
Proposal for fixing those:
1. Rename Certificate Manager API functions. There should be:
get_cert - getting the certificate info without registering resource consumer. Plugin and provider's driver will use this
for getting certificate data for validation or usage on back-end system.
register_cert_consumer - Registering consumer in barbican. Provider's driver will use this to register resource consumer
after successful certificate appliance on a back-end system.
unregister_cert_consumer - Removing consumer in barbican. Provider's driver will use this to remove resource consumer
for certificate(s) that are not used in back-end system any more.
2. Local Certificate Manager should not delete certificate files from file system in case when certificate is invalid.
get_cert - getting certificate data from certificate files. Plugin and provider's driver will use this
for getting certificate data for validation or usage on back-end system.
register_cert_consumer and unregister_cert_consumer functions will do nothing since no resource consumer
registration/removal is needed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1514768/+subscriptions
Follow ups
