Alexey, thank you for bringing this up. IMO discussing security problems is better to be done in a special kind of Launchpad bugs.
- romcheg > 7 груд. 2015 р. о 17:36 Alexey Elagin <aela...@mirantis.com> написав(ла): > > Hello all, > > We have a security problem in Fuel 7.0. It's related to plugin > development and allows to execute code in mcollective docker container > on Fuel master node. Any fuel plugin may contains a yaml file with > deployment tasks (tasks.yaml, deployment_tasks.yaml etc) and there is > an ability to run some code on node with role "master". It's also > possible to connect to any target node via ssh without a password from > within the container. > > As i understood, it was made to simplify some deployment cases. I see > some steps for resolving this situation: > 1. Fuel team should disallow > execution of any puppet manifests or bash code on nodes with master > role. > 2. Append the Fuel documentation. Notify users about this > security issue. > > What do you think about it? What deployment cases which require > execution of code on role "master" do you know? > > -- > Best regards, > Alexey > Deployment Engineer > Mirantis, Inc > Cell: +7 (968) 880 2288 > Skype: shikelbober > Slack: aelagin > mailto:aela...@mirantis.com > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
signature.asc
Description: Message signed with OpenPGP using GPGMail
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
