[Maas-devel] State of RPC registration and security #2
Gavin Panella
gavin.panella at canonical.com
Fri Oct 10 09:31:30 UTC 2014
On 10 October 2014 01:13, Andres Rodriguez <...> wrote:
> On Fri, Oct 10, 2014 at 1:31 AM, Gavin Panella <...> wrote:
...
> if we remove the secret and restart maas-cluster, the connection
> between cluster / region should fail. If we remove the cluster from
> the WebUI, it is gone for sure. In order for us to re-add this cluster
> we need to reconfigure the shared secret, and will be added as a new
> cluster in the sense that it will need to re-download images and so
> on.
Yes, that's right. However, if you re-add a previously synced cluster,
you won't have to download all images again; the syncing code has the
smarts to only do what's needed.
...
>> > I have an idea to manage this from the packaging, so we request the
>> > shared secret when we are reconfiguring the clsuter to point it to
>> > the Region Controller.
>>
>> That sounds good. If you obtain it as a hex-encoded string you can
>> feed it to maas-provision:
>>
>> maas-provision install-shared-secret <<<${secret_as_hex}
>>
>> and it'll do the right thing, though beware of user/group.
>
> Where does the user know what the shared secret is? Is the Cluster
> page on the WebUI showing the shared secret? I think an admin should
> be able to login to the Cluster Page and look at the shared secret.
This is bug 1378993. I'm having second thoughts about putting this
secret in the UI actually. A command-line tool would be better I think.
>
> When registering the Cluster, it should simply tell the Cluster what
> the shared secret is.
No, we must *never* do that. That would eliminate one of the biggest
benefits we get from having a shared-secret that we never transmit in
the open: the ability to use it to transition to all-TLS transports (in
a point release) with some amount of trust between parties. Anyone can
do TLS, but doing it with trust is why we have CAs and suchlike.
I'll say that again because it's really important: MAAS must *never*
transmit the secret over the network. That must always be the task of an
administrator.
More information about the Maas-devel
mailing list