Re: [Openstack] [Heat] Locked Outputs

[Steven Dake]

On 11/12/2013 08:08 PM, Andrew Plunk wrote:
Alright.
The problem:
----------------
If a program generates a password, and displays it on a screen over and over 
again, it is more susceptible to being compromised.
I don't buy the problem.  Using an anaology, the first time the 
information is shared, it becomes public.  It can then be assumed that 
once information is shared the *first* time, anyone that cares about 
that information now knows it.

Passwords work the same way - if a user sees the password once, they 
could write it down, give it to their friends, post it on twitter, etc.  
The fact that it is exposed via the GUI multiple times isn't any more 
dangerous then these other scenarios.

Further argument is if you don't trust your users with the password, 
don't put in the outputs section.  I don't quite get how this would 
enhance security though, because if they have the OpenStack credentials, 
theoretically they could access the VM and obtain the password whether 
you like it or not.  Further, they stack-create'ed the vm so ideally 
they would have responsibility for the security of the stack.

Regards
-steve


Possible solutions:
----------------
1).Provide a way to limit the availability of stack outputs returned from heat.
2).Provide a way to express metadata about stack outputs returned from heat.

________________________________________
From: Clint Byrum [cl...@fewbar.com]
Sent: Tuesday, November 12, 2013 8:46 PM
To: openstack
Subject: Re: [Openstack] [Heat] Locked Outputs

Excerpts from Andrew Plunk's message of 2013-11-12 17:24:25 -0800:
Thanks for reiterating that Zane. The problem I have is I want to display 
generated passwords once, and only once in a ui. I want the ability to flag or 
conditionally display outputs based on conditions.

A problem is stated with a cause and an effect "Users may lose control of
the UI after the first time outputs are displayed, leading to credential
compromise".

Another example: "English encourages use of overloaded terms which
can be ambiguous, requiring multiple iterations to communicate ideas
effectively."

Solution: "I want to define terms more clearly before using them in
sentences."

"I want to ..." is a _solution_.

Maybe we can try one more time?

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack