[Maas-devel] State of RPC registration and security #2

Fri Oct 10 10:04:56 UTC 2014

On Oct 10, 2014 11:31 AM, "Gavin Panella" <gavin.panella at canonical.com>
wrote:
>
> On 10 October 2014 01:13, Andres Rodriguez <...> wrote:
> > On Fri, Oct 10, 2014 at 1:31 AM, Gavin Panella <...> wrote:
> ...
> > if we remove the secret and restart maas-cluster, the connection
> > between cluster / region should fail. If we remove the cluster from
> > the WebUI, it is gone for sure. In order for us to re-add this cluster
> > we need to reconfigure the shared secret, and will be added as a new
> > cluster in the sense that it will need to re-download images and so
> > on.
>
> Yes, that's right. However, if you re-add a previously synced cluster,
> you won't have to download all images again; the syncing code has the
> smarts to only do what's needed.
>
> ...
> >> > I have an idea to manage this from the packaging, so we request the
> >> > shared secret when we are reconfiguring the clsuter to point it to
> >> > the Region Controller.
> >>
> >> That sounds good. If you obtain it as a hex-encoded string you can
> >> feed it to maas-provision:
> >>
> >>     maas-provision install-shared-secret <<<${secret_as_hex}
> >>
> >> and it'll do the right thing, though beware of user/group.
> >
> > Where does the user know what the shared secret is? Is the Cluster
> > page on the WebUI showing the shared secret? I think an admin should
> > be able to login to the Cluster Page and look at the shared secret.
>
> This is bug 1378993. I'm having second thoughts about putting this
> secret in the UI actually. A command-line tool would be better I think.

What was discussed this week is that the cluster page should be able to
generate a token and use that token to tell the cluster to register to the
region. We can have a show shared secret or token that will be used for
registration. The command line should also be there but also UI.

>
> >
> > When registering the Cluster, it should simply tell the Cluster what
> > the shared secret is.
>
> No, we must *never* do that. That would eliminate one of the biggest
> benefits we get from having a shared-secret that we never transmit in
> the open: the ability to use it to transition to all-TLS transports (in
> a point release) with some amount of trust between parties. Anyone can
> do TLS, but doing it with trust is why we have CAs and suchlike.
>
> I'll say that again because it's really important: MAAS must *never*
> transmit the secret over the network. That must always be the task of an
> administrator.

What was discussed this week was essentially creating a token on the Region
Cluster Page, and use that token to register the cluster with the region.
The shared secret seems to be this token for the time being. Right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20141010/076baaa3/attachment.html>