Hi Folks,
I'm still processing all this information - thanks for your help!
--Pino
On Wed, Oct 4, 2017 at 7:58 AM, Jeremy Stanley wrote:
> On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote:
> [...]
> > The recommendation is not to use metadata for security sensitive
> > data (its possibl
On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote:
[...]
> The recommendation is not to use metadata for security sensitive
> data (its possible to spoof by setting a X-Forwarded header),
> please see the following OpenStack Security Note on the topic:
>
> https://wiki.openstack.org/wiki/OSSN
There is an assumption that you've got solid network security on the
path between your guests and your nova-API. Either because you've got a
secure network path, or you run the neutron proxy server on the host
itself, and so this is a no hop call. Because this is a bootstrapping
problem, and the gu
On Tue, Oct 3, 2017 at 11:00 PM, Giuseppe de Candia <
giuseppe.decan...@gmail.com> wrote:
> Hi Folks,
>
>
> Are there any documented conventions regarding the security model for
> MetaData?
>
>
> Note that CloudInit allows passing user and ssh service public/private
> keys via MetaData service (or
Referring to the original question
'Note that CloudInit allows passing user and ssh service public/private
keys via MetaData service (or ConfigDrive). One assumes it must be secure,
but I have not found a security model or documentation.'
The metadata service is as secure as underlaying infrastru
Hi,
You can configure the metadata service to be secure. You just need to make sure
that nova is configured correctly. FYI -
https://github.com/openstack/neutron/blob/master/neutron/conf/agent/metadata/config.py#L68
Thanks
Gary
On 10/4/17, 7:01 AM, "Joshua Harlow" wrote:
I would treat the
I would treat the metadata service as not secure.
From amazon docs (equivalent can be said about openstack):
'''
Important
Although you can only access instance metadata and user data from within
the instance itself, the data is not protected by cryptographic methods.
Anyone who can access th
Hi Folks,
Are there any documented conventions regarding the security model for
MetaData?
Note that CloudInit allows passing user and ssh service public/private keys
via MetaData service (or ConfigDrive). One assumes it must be secure, but I
have not found a security model or documentation.
M
