2022-05-05 10:31:18 |
kay |
bug |
|
|
added bug |
2022-05-05 10:34:48 |
kay |
description |
Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.
Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
} |
Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.
Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
} |
|
2022-05-05 10:36:26 |
kay |
description |
Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.
Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
} |
Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.
However EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
} |
|
2022-05-05 10:36:36 |
kay |
description |
Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.
However EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
} |
Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.
EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind.
An example of EC2 auth request with application credentials:
$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
POST http://keystone:8080/v3/ec2tokens
{
"credentials": {
"access": "3defd466f04646d094a1ee4b6afc53e8",
"body_hash": "***",
"headers": {
"Accept-Encoding": "identity",
"Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
"Host": "keystone:8080",
"User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
"X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"X-Amz-Date": "20220505T101354Z",
"X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
},
"host": "",
"params": {},
"path": "/",
"signature": "appCredSecretBasedSignature",
"verb": "GET"
}
}
An example of EC2 auth token response with application credentials:
{
"token": {
"application_credential": {
"access_rules": [
{
"id": "9416a34e7f3b45ecb029063d8a239463",
"method": "GET",
"path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
"service": "key-manager"
}
],
"id": "3defd466f04646d094a1ee4b6afc53e8",
"name": "test",
"restricted": true
},
"audit_ids": [
"m6C3NgSiQmqQnrBRySYW2A"
],
"catalog": [...],
"expires_at": "2022-05-05T18:24:48.000000Z",
"is_admin_project": false,
"is_domain": false,
"issued_at": "2022-05-05T10:24:48.000000Z",
"methods": [
"application_credential"
],
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
"name": "test"
},
"roles": [
{
"id": "a66c3a324bc24c0da7259faa03f2704d",
"name": "limited_role"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "0c4cac95c039441d9b8bb509fe836110",
"name": "appCredOwner",
"password_expires_at": "2022-09-07T18:13:38.126030"
}
}
} |
|
2022-05-05 10:39:03 |
kay |
summary |
Add application credentials as a source for EC2 auth |
Support application credentials as a source for EC2 auth |
|