chef-cookbooks
chef-cookbooks copied to clipboard
rcbops
[glance] Glance API - Unencrypted Submission of Credentials
This is from the internal security review recommendations.
Severity: High Description / Exploit: The RPC Glance API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.
Impact: Anyone can read the information by gaining access to the channel being used for communication.
Systems Vulnerable: http://198.101.133.159:9292
Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).  Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.
Affects:
cookbooks/glance/attributes/default.rb
38:default["glance"]["services"]["api"]["port"] = 9292
43:default["glance"]["services"]["admin-api"]["port"] = 9292
48:default["glance"]["services"]["internal-api"]["port"] = 9292
Hello,
I received the following report from a user using v4.2.1 attempting to enable https for glance-api and glance-registry:
"To view traceback
- Change glance api endpoint to http
- Set SSLEngine off for /etc/apache2/sites-enabled/openstack-glance-api"
(from /var/log/glance/glance-api.log)
[Fri Mar 21 12:12:38 2014] [error] [client 192.168.60.21] mod_wsgi (pid=26359): Exception occurred processing WSGI script '/etc/apache2/wsgi/glance-api'.
[Fri Mar 21 12:12:38 2014] [error] [client 192.168.60.21] Traceback (most recent call last):
[Fri Mar 21 12:12:38 2014] [error] [client 192.168.60.21] File "/etc/apache2/wsgi/glance-api", line 2, in
"Registry appears to have the same issue:"
root@controller02:/etc/apache2/sites-enabled# tail -f /var/log/glance/registry-ssl.log
[Fri Mar 21 12:22:23 2014] [info] [client 192.168.60.24] mod_wsgi (pid=26362, process='glance-registry', application='alamo-controller02.viasat.lan:9191|'): Loading WSGI script '/etc/apache2/wsgi/glance-registry'.
[Fri Mar 21 12:22:23 2014] [error] [client 192.168.60.24] mod_wsgi (pid=26362): Target WSGI script '/etc/apache2/wsgi/glance-registry' cannot be loaded as Python module.
[Fri Mar 21 12:22:23 2014] [error] [client 192.168.60.24] mod_wsgi (pid=26362): Exception occurred processing WSGI script '/etc/apache2/wsgi/glance-registry'.
[Fri Mar 21 12:22:23 2014] [error] [client 192.168.60.24] Traceback (most recent call last):
[Fri Mar 21 12:22:23 2014] [error] [client 192.168.60.24] File "/etc/apache2/wsgi/glance-registry", line 1, in
Relevant environment overrides: "glance": { "service_user": "dmzp01", "service_pass": "XXXXX", "images": [ "cirros", "precise" ], "services": { "api": { "scheme": "https" }, "admin-api": { "scheme": "https" }, "registry": { "scheme": "https" }, "internal-api": { "scheme": "http" } }, "image": { "cirros": "https://launchpad.net/cirros/trunk/0.3.0/%2Bdownload/cirros-0.3.0-x86_64-disk.img", "precise": "http://cloud-images.ubuntu.com/precise/current/precise-server-cloudimg-amd64-disk1.img" }, "image_upload": false },
The Glance API does not work when implemented as a wsgi process using Apache. I have wasted many man hours trying to make it work. It seems to work initially, but you'll find that writing images won't work and that there are some header encoding problems when reading. I did log some bugs a while back and haven't followed up on whether they're been resolved yet.
I can confirm that it does work if a reverse proxy is used in front of the native service instead.
The Apache/httpd reverse proxy setup is not tested in Openstack CI so I would recommend rather using the native configurations until it's a properly tested configuration upstream. Table 3.20: http://docs.openstack.org/havana/config-reference/content/ch_configuring-openstack-image-service.html
