[Bug 978963] [NEW] add release note that OpenStack should be used on a protected network

Jamie Strandboge jamie at ubuntu.com
Wed Apr 11 14:19:42 UTC 2012 

Public bug reported:

Much of OpenStack is hard-coded to use http instead of https. Of particular interest is keystone which is the identity service for OpenStack. https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuCloud should state that accessing OpenStack over an unprotected network may expose credentials and other information. This is true (at least) when:
* keystone is on a separate server from the other OpenStack components
* horizon (the OpenStack Dashboard) is on a different system than keystone
* users access OpenStack remotely
* users access horizon (the OpenStack dashboard) over http

Adding horizon and keystone tasks.

** Affects: ubuntu-release-notes
     Importance: Undecided
         Status: New

** Affects: horizon (Ubuntu)
     Importance: High
         Status: Triaged

** Affects: keystone (Ubuntu)
     Importance: High
         Status: Triaged

** Affects: horizon (Ubuntu Precise)
     Importance: High
         Status: Triaged

** Affects: keystone (Ubuntu Precise)
     Importance: High
         Status: Triaged


** Tags: rls-p-tracking

** Also affects: horizon (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: keystone (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: horizon (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: keystone (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: keystone (Ubuntu Precise)
       Status: New => Triaged

** Changed in: horizon (Ubuntu Precise)
       Status: New => Triaged

** Changed in: keystone (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: keystone (Ubuntu Precise)
    Milestone: None => ubuntu-12.04

** Changed in: horizon (Ubuntu Precise)
    Milestone: None => ubuntu-12.04

** Changed in: horizon (Ubuntu Precise)
   Importance: Undecided => High

** Description changed:

  Much of OpenStack is hard-coded to use http instead of https. Of particular interest is keystone which is the identity service for OpenStack. https://wiki.ubuntu.com/PrecisePangolin/ReleaseNotes/UbuntuCloud should state that accessing OpenStack over an unprotected network may expose credentials and other information. This is true (at least) when:
  * keystone is on a separate server from the other OpenStack components
  * horizon (the OpenStack Dashboard) is on a different system than keystone
  * users access OpenStack remotely
+ * users access horizon (the OpenStack dashboard) over http
  
  Adding horizon and keystone tasks.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/978963

Title:
  add release note that OpenStack should be used on a protected network

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/978963/+subscriptions

More information about the Ubuntu-server-bugs mailing list