openstack/security-doc
Code Issues Proposed changes

Correct line-wrapping in OSSN-0063

Browse Source 
This corrects the line wrapping in OSSN-0063 to our standard width
of 72 columns.

Related-Bug: #1523646

Change-Id: I04f6a82a36997f3928522daa0d6e7be633328454
This commit is contained in:
Nathan Kinder
2016-06-09 12:24:07 -07:00
parent e1332c995a
commit 35f2ab99d0
1 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
security-notes/OSSN-0063
View File

@@ -2,11 +2,11 @@ Nova and Cinder key manager for Barbican misuses cached credentials
---
### Summary ###
During the Icehouse release the Cinder and Nova projects added a
feature that supports storage volume encryption using keys stored in
Barbican. The Barbican key manager, that is part of Nova and
Cinder, had a bug that could cause an authorized user to lose access to an
encryption key or allow the wrong user to gain access to an encryption key.
During the Icehouse release the Cinder and Nova projects added a feature
that supports storage volume encryption using keys stored in Barbican.
The Barbican key manager, that is part of Nova and Cinder, had a bug
that could cause an authorized user to lose access to an encryption key
or allow the wrong user to gain access to an encryption key.
### Affected Services / Software ###
Cinder: Icehouse, Juno, Kilo, Liberty
@@ -19,26 +19,27 @@ manager includes a cache function that allows for a copy_key() operation
to work while only validating the token once with Keystone.
This cache function had a bug such that the cached token was used for
operations where it was no longer valid. The symptoms of this error vary, but
include a user not being able to access their key or the wrong user being
able to access a key.
operations where it was no longer valid. The symptoms of this error
vary, but include a user not being able to access their key or the wrong
user being able to access a key.
An affected user would see an error similar to this in their cinder log.
An affected user would see an error similar to this in their cinder log:
---- begin cinder.log sample snippet ----
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The request you
have made requires authentication. (Disable debug mode to suppress these
details.) (HTTP 401) (Request-ID: req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The
request you have made requires authentication. (Disable debug mode to
suppress these details.) (HTTP 401) (Request-ID:
req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)
---- end cinder.log sample snippet ----
### Recommended Actions ###
Users wishing to use the Barbican key manager to provided keys for volume
encryption with Nova and Cinder should ensure they are using a patched
version.
Users wishing to use the Barbican key manager to provided keys for
volume encryption with Nova and Cinder should ensure they are using a
patched version.
A specification for a fix has been merged for the Mitaka
release of both Nova and Cinder. Additionally these patches have been
backported to stable/kilo and stable/liberty.
A specification for a fix has been merged for the Mitaka release of both
Nova and Cinder. Additionally these patches have been backported to
stable/kilo and stable/liberty.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0063