[keystone] Keystone Public API - Unencrypted Submission of Credentials

[claco]

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC Keystone Public API endpoint transmits sensitive or security-critical data (passwords, API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:5000

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/horizon/templates/default/local_settings.py.erb
109:#     ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
110:#     ('http://cluster2.example.com:5000/v2.0', 'cluster2'),

cookbooks/keystone/attributes/default.rb
171:default["keystone"]["services"]["service-api"]["port"] = "5000"             # node_attribute
180:default["keystone"]["services"]["internal-api"]["port"] = "5000"             # node_attribute

cookbooks/keystone/files/default/keystone_plugin.py
27:OS_AUTH_URL = "http://localhost:5000/v2.0"

cookbooks/keystone/templates/default/patches/ldap_user_enabled_default_config.py.1:2013.1-0ubuntu1~cloud0.erb
188:    register_int('public_port', default=5000)

cookbooks/nova/files/default/nova_plugin.py
29:OS_AUTH_URL = "http://localhost:5000/v2.0"

cookbooks/nova/templates/default/local_settings.py.erb
51:#     ('http://cluster1.example.com:5000/v2.0', 'cluster1'),
52:#     ('http://cluster2.example.com:5000/v2.0', 'cluster2'),

cookbooks/openstack-monitoring/files/default/glance_plugin.py
12:OS_AUTH_URL = "http://localhost:5000/v2.0"

cookbooks/openstack-monitoring/files/default/keystone_plugin.py
27:OS_AUTH_URL = "http://localhost:5000/v2.0"

cookbooks/openstack-monitoring/files/default/nova_plugin.py
29:OS_AUTH_URL = "http://localhost:5000/v2.0"

[odyssey4me]

There are some options here:

1. Use the native SSL config options to ensure that keystone listens on SSL for all services;
2. Use an Apache/wsgi configuration. This is a tested configuration in the Openstack CI Infrastructure, so this is a worthy option.
3. Use Apache to reverse proxy keystone on all ports and SSL encrypt the traffic. This has been working well for us.