[nova] Nova API - Unencrypted Submission of Credentials

[claco]

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC Nova API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:8774

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/haproxy/README.md
78:        "foo1" => {"host" => "1.2.3.4", "port" => "8774"},
79:        "foo2" => {"host" => "5.6.7.8", "port" => "8774"}

cookbooks/keystone/templates/default/keystone.conf.erb
27:# compute_port = 8774

cookbooks/keystone/templates/default/patches/ldap_user_enabled_default_config.py.1:2013.1-0ubuntu1~cloud0.erb
186:    register_int('compute_port', default=8774)

cookbooks/nova/attributes/default.rb
36:default["nova"]["services"]["api"]["port"] = 8774
45:default["nova"]["services"]["internal-api"]["port"] = 8774
50:default["nova"]["services"]["admin-api"]["port"] = 8774

[odyssey4me]

There are some options here:

1. Use the native SSL config options to ensure that nova listens on SSL for all services;
2. Use an Apache/wsgi configuration. This is a tested configuration in the Openstack CI Infrastructure, so this is a worthy option.
3. Use Apache to reverse proxy nova on all ports and SSL encrypt the traffic. This has been working well for us.