[Bug 914164] Re: [MIR] horizon

Wed Apr 11 14:22:02 UTC 2012

I performed a shallow review of horizon:

CVE history: no, but the code is new. That said, upstream is very
responsive and the server team is committed to it and active with
upstream.

Embeds some jquery scripts from jquery-goodies (they are newer than what
is in the archive) in horizon/static/horizon/js/jquery/

Not lintian clean

No upstart jobs or initscripts, no dbus services or setuid programs. No
cron jobs. No sudoers fragments.

Uses python-django, so a lot of security features are enabled (CSRF
protections (verified in use), etc)

Allows downloading of EC2 and OpenStack credentials. The openstack .rc
file that is downloaded prompts for the password, so that is good
(though the OS_USERNAME and OS_TENANT_NAME are in there). The EC2
credentials give the EC2_ACCESS_KEY and EC2_SECRET_KEY. This is all
delivered over http. The http://openstack/settings/* pages should
probably warn that this is happening over an insecure connection.
Setting up apache to use ssl and accessing horizon works fine.

horizon connects to keystone via http://, so it needs to be on a
protected LAN.

http://openstack/nova/images_and_snapshots/ gave me a full traceback.
The packaging should be adjusted to hide these as it might provide
information to an attacker. Specifically at the bottom of the page I
see: "You're seeing this error because you have DEBUG = True in your
Django settings file. Change that to False, and Django will display a
standard 500 page."

Other pages with tracebacks (related to usage I think):
http://openstack/nova/instances_and_volumes/
http://openstack/nova/images_and_snapshots/

Conditional ACK provided the following are addressed:
- set 'DEBUG = False'
- while an administrator should know that setting up horizon for access over http:// would expose credentials, it would be good if the settings pages warned if the user was accessing the urls via http:// in some manner
- a release note should be added that horizon needs to connect to keystone over a protected network (LP: #978963)

** Changed in: horizon (Ubuntu)
       Status: Confirmed => In Progress

** Changed in: horizon (Ubuntu)
     Assignee: Jamie Strandboge (jdstrand) => Chuck Short (zulcss)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/914164

Title:
  [MIR] horizon

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions