On 11/12/2013 08:08 PM, Andrew Plunk wrote:
Alright.
The problem:
----------------
If a program generates a password, and displays it on a screen over and over
again, it is more susceptible to being compromised.
I don't buy the problem. Using an anaology, the first time the
information is shared, it becomes public. It can then be assumed that
once information is shared the *first* time, anyone that cares about
that information now knows it.
Passwords work the same way - if a user sees the password once, they
could write it down, give it to their friends, post it on twitter, etc.
The fact that it is exposed via the GUI multiple times isn't any more
dangerous then these other scenarios.
Further argument is if you don't trust your users with the password,
don't put in the outputs section. I don't quite get how this would
enhance security though, because if they have the OpenStack credentials,
theoretically they could access the VM and obtain the password whether
you like it or not. Further, they stack-create'ed the vm so ideally
they would have responsibility for the security of the stack.
Regards
-steve
Possible solutions:
----------------
1).Provide a way to limit the availability of stack outputs returned from heat.
2).Provide a way to express metadata about stack outputs returned from heat.
________________________________________
From: Clint Byrum [cl...@fewbar.com]
Sent: Tuesday, November 12, 2013 8:46 PM
To: openstack
Subject: Re: [Openstack] [Heat] Locked Outputs
Excerpts from Andrew Plunk's message of 2013-11-12 17:24:25 -0800:
Thanks for reiterating that Zane. The problem I have is I want to display
generated passwords once, and only once in a ui. I want the ability to flag or
conditionally display outputs based on conditions.
A problem is stated with a cause and an effect "Users may lose control of
the UI after the first time outputs are displayed, leading to credential
compromise".
Another example: "English encourages use of overloaded terms which
can be ambiguous, requiring multiple iterations to communicate ideas
effectively."
Solution: "I want to define terms more clearly before using them in
sentences."
"I want to ..." is a _solution_.
Maybe we can try one more time?
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack