[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1711117] Re: paste_deploy flavor in sample configuration file shows misleading default


** Also affects: ossn
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1711117

Title:
  paste_deploy flavor in sample configuration file shows misleading
  default

Status in Glance:
  New
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  The "flavor" option of the "[paste_deploy]" section defaults to
  "None", but the sample configuration and documentation [1] suggests
  that it is "keystone". This can lead to unsecure deployments without
  authentication. The "glance-api.conf" file shows the following:

      #
      # Deployment flavor to use in the server application pipeline.
      #
      # Provide a string value representing the appropriate deployment
      # flavor used in the server application pipleline. This is typically
      # the partial name of a pipeline in the paste configuration file with
      # the service name removed.
      #
      # For example, if your paste section name in the paste configuration
      # file is [pipeline:glance-api-keystone], set ``flavor`` to
      # ``keystone``.
      #
      # Possible values:
      #     * String value representing a partial pipeline name.
      #
      # Related Options:
      #     * config_file
      #
      #  (string value)
      #flavor = keystone

  This is misleading and can lead operators to think that the default
  flavor being used is "keystone", but this is not the case:

      DEBUG glance.common.config [-] paste_deploy.flavor            =
  None log_opt_values /usr/lib/python2.7/dist-
  packages/oslo_config/cfg.py:2626

  Previously, in Mitaka, the flavor was defined something like this:

      # Partial name of a pipeline in your paste configuration file with the
      # service name removed. For example, if your paste section name is
      # [pipeline:glance-api-keystone] use the value "keystone" (string
      # value)
      #flavor = <None>

  Therefore, somebody upgrading from a previous version would think that
  the default is now set to "keystone" instead of "None". In such cases
  the operator could remove the "flavor=keystone" definition, assuming
  that the default value is correct.

  Moreover, the configuration reference states that the default is
  "keystone" [1], but this is not the case as the option does not set a
  default vale, but a sample default [2]

  [1] https://docs.openstack.org/glance/latest/configuration/glance_api.html#paste_deploy
  [2] https://github.com/openstack/glance/blob/c4b0fbe632f759b00a1c326c17a05f134e93553d/glance/common/config.py#L33

  Taking into account that if the flavor for paste is not set this will
  lead to a deployment without authentication.

  If the sample default is different from the actual default, this
  should be stated clearly in the comment for that option.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1711117/+subscriptions