yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1823104] [NEW] CellMappingPayload in select_destinations versioned notification sends sensitive database_connection and transport_url information

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date: Thu, 04 Apr 2019 01:51:26 -0000
Reply-to: Bug 1823104 <1823104@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

As of this change in Stein:

https://review.openstack.org/#/c/508506/28/nova/notifications/objects/request_spec.py@334

Which is not yet officially released, but is in the 19.0.0.0rc1, the
select_destinations versioned notification payload during a move
operation (resize, cold/live migrate, unshelve, evacuate) will send the
cell database_connection URL and MQ transport_url information which
contains credentials to connect directly to the cell DB and MQ, which
even though notifications are meant to be internal within openstack
services, seems like a pretty bad idea. IOW, just because it's internal
to openstack doesn't mean nova needs to give ceilometer the keys to it's
cell databases.

There seems to be no justification in the change for *why* this
information was needed in the notification payload, it seemed to be
added simply for completeness.

** Affects: nova
     Importance: High
     Assignee: Matt Riedemann (mriedem)
         Status: Triaged

** Affects: nova/stein
     Importance: Undecided
         Status: New


** Tags: notifications security stein-rc-potential

** Changed in: nova
     Assignee: (unassigned) => Matt Riedemann (mriedem)

** Also affects: nova/stein
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1823104

Title:
  CellMappingPayload in select_destinations versioned notification sends
  sensitive database_connection and transport_url information

Status in OpenStack Compute (nova):
  Triaged
Status in OpenStack Compute (nova) stein series:
  New

Bug description:
  As of this change in Stein:

  https://review.openstack.org/#/c/508506/28/nova/notifications/objects/request_spec.py@334

  Which is not yet officially released, but is in the 19.0.0.0rc1, the
  select_destinations versioned notification payload during a move
  operation (resize, cold/live migrate, unshelve, evacuate) will send
  the cell database_connection URL and MQ transport_url information
  which contains credentials to connect directly to the cell DB and MQ,
  which even though notifications are meant to be internal within
  openstack services, seems like a pretty bad idea. IOW, just because
  it's internal to openstack doesn't mean nova needs to give ceilometer
  the keys to it's cell databases.

  There seems to be no justification in the change for *why* this
  information was needed in the notification payload, it seemed to be
  added simply for completeness.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1823104/+subscriptions

Follow ups

[Bug 1823104] Re: CellMappingPayload in select_destinations versioned notification sends sensitive database_connection and transport_url information
From: OpenStack Infra, 2019-04-04