** Changed in: nova
       Status: Incomplete => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1278526

Title:
  EC2 signature verification does not take port into account

Status in OpenStack Compute (Nova):
  Opinion

Bug description:
  Nova Version: master (and probably previous)
  Tested with euca2ools 3.0.2-1 on Debian
  Line numbers based on commit 48e8f992f46862cb4f50fe0cc9b77a3017e7bb23 in 
master for nova, commit 8557e4756e8a326579df826076478d98ca634345 in master for 
keystone.

  EC2 protocol requires "Signature" calculated for every request. The signature 
is calculated from:  access_key, signature, host, verb, path and params.
  These values together with the signature are passed to Keystone for 
verification as seen in: 
https://github.com/openstack/nova/blob/master/nova/api/ec2/__init__.py#L201-L232

  Verification is done by Kestone's check_signature functon define:
  
https://github.com/openstack/keystone/blob/master/keystone/contrib/ec2/controllers.py#L53-L67

  The root of the problem:
  - euca2ools use port in host field ("hostname.of.endpoint:8773" for signing 
signature
  - keystone takes into account that client signing the request may append the 
port into the "host" field and does the signature verification twice: with the 
port and without
  - nova never passes the port along with the host to keystone (line 205 of 
nova/api/ec2/__init__.py)

  This results in always incorrect signature rendering EC2 protocol
  useless for clients that append port to the host. It is not an issue
  if the port is not used to calculate signature if such clients exist.

  Simple fix: append the port in /nova/api/ec2/__init__.py line 204.

  Actual problem: for deployments that use SSL termination proxy and/or rewrite 
URLs, the port visible to the client is not necessarily the standard port used 
by Nova for EC2 (8773) nor the one specified in the configuration for nova to 
listen on.
  Therefore, I suggest to create a new configuration option for this purpose, 
which dynamically defaults to ec2_listen_port (usually 8773).
  It also seems that "ec2_port" configuration option can be used for that 
purpose as it already has this meaning to hold port visible by the user, not 
the one that EC2 API is listening on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1278526/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to