Re: [openstack-dev] Security of Meta-Data

2017-10-04 Thread Giuseppe de Candia
Hi Folks, I'm still processing all this information - thanks for your help! --Pino On Wed, Oct 4, 2017 at 7:58 AM, Jeremy Stanley wrote: > On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote: > [...] > > The recommendation is not to use metadata for security sensitive >

Re: [openstack-dev] Security of Meta-Data

2017-10-04 Thread Jeremy Stanley
On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote: [...] > The recommendation is not to use metadata for security sensitive > data (its possible to spoof by setting a X-Forwarded header), > please see the following OpenStack Security Note on the topic: > >

Re: [openstack-dev] Security of Meta-Data

2017-10-04 Thread Sean Dague
There is an assumption that you've got solid network security on the path between your guests and your nova-API. Either because you've got a secure network path, or you run the neutron proxy server on the host itself, and so this is a no hop call. Because this is a bootstrapping problem, and the

Re: [openstack-dev] Security of Meta-Data

2017-10-04 Thread Luke Hinds
On Tue, Oct 3, 2017 at 11:00 PM, Giuseppe de Candia < giuseppe.decan...@gmail.com> wrote: > Hi Folks, > > > Are there any documented conventions regarding the security model for > MetaData? > > > Note that CloudInit allows passing user and ssh service public/private > keys via MetaData service

Re: [openstack-dev] Security of Meta-Data

2017-10-04 Thread Adam Heczko
Referring to the original question 'Note that CloudInit allows passing user and ssh service public/private keys via MetaData service (or ConfigDrive). One assumes it must be secure, but I have not found a security model or documentation.' The metadata service is as secure as underlaying

Re: [openstack-dev] Security of Meta-Data

2017-10-04 Thread Gary Kotton
Hi, You can configure the metadata service to be secure. You just need to make sure that nova is configured correctly. FYI - https://github.com/openstack/neutron/blob/master/neutron/conf/agent/metadata/config.py#L68 Thanks Gary On 10/4/17, 7:01 AM, "Joshua Harlow" wrote:

Re: [openstack-dev] Security of Meta-Data

2017-10-03 Thread Joshua Harlow
I would treat the metadata service as not secure. From amazon docs (equivalent can be said about openstack): ''' Important Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access

[openstack-dev] Security of Meta-Data

2017-10-03 Thread Giuseppe de Candia
Hi Folks, Are there any documented conventions regarding the security model for MetaData? Note that CloudInit allows passing user and ssh service public/private keys via MetaData service (or ConfigDrive). One assumes it must be secure, but I have not found a security model or documentation.