Re: [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-07-07 Thread Fox, Kevin M
Ok. Thanks for taking a look. Kevin From: David Stanek [dsta...@dstanek.com] Sent: Wednesday, July 06, 2016 5:36 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [security] [horizon] Security implications of

Re: [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-07-07 Thread Tripp, Travis S
By caching, do you mean not persisting it in local storage or a cookie? Would it be okay to store in a variable in browser memory for the duration of the session to be used with subsequent API requests? Thanks, Travis On 7/6/16, 6:36 PM, "David Stanek" wrote: On 07/01

Re: [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-07-06 Thread David Stanek
On 07/01 at 19:41, Fox, Kevin M wrote: > Hi David, > > How do you feel about the approach here: > https://review.openstack.org/#/c/311189/ > > Its lets the existing angular js module: > horizon.app.core.openstack-service-api.keystone > > access the current token via

Re: [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-07-01 Thread Fox, Kevin M
Hi David, How do you feel about the approach here: https://review.openstack.org/#/c/311189/ Its lets the existing angular js module: horizon.app.core.openstack-service-api.keystone access the current token via getCurrentUserSession().token Thanks, Kevin

Re: [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-07-01 Thread David Stanek
On 06/29 at 21:10, Timur Sufiev wrote: > Hello, vigilant folks of OpenStack Security team! > > The commit(s) I'd like you to take a look at introduces a new Horizon > feature, Create (Glance) Image using CORS (AKA Cross-Origin Resource > Sharing) [1]. > > The main idea is to bypass Horizon

Re: [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-07-01 Thread Thai Q Tran
I am not sure if this is a valid concern. If I am using a CLI and someone gets access to my computer, they can do whatever they well please. If I am using Horizon and someone gets access, its going to be the same story, they can still do damage even without knowing the token (at least until the

Re: [openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-06-29 Thread Fox, Kevin M
Ah. I was going to bring this up eventually but hadn't gotten to it yet. I started up a patch for adding similar support for horizon here: https://review.openstack.org/#/c/311189/ My intention is to use it to make a Horizon Plugin to speak to a Keystone authenticated Kubernetes api directly.

[openstack-dev] [security] [horizon] Security implications of exposing a keystone token to a JS client

2016-06-29 Thread Timur Sufiev
Hello, vigilant folks of OpenStack Security team! The commit(s) I'd like you to take a look at introduces a new Horizon feature, Create (Glance) Image using CORS (AKA Cross-Origin Resource Sharing) [1]. The main idea is to bypass Horizon web-server when uploading large local image and to send it