https://blueprints.launchpad.net/fuel/+spec/snapshot-download-with-auth
Required authentication for downloading snapshots
It is possible to guess (by brute force) diagnostic snapshot name and as a result get access to all logins and passwords.
Diagnostic snapshot URL is currently handled by nginx, nailgun is not involved here. So we need to reconfigure nginx so this URL will be also handled by nailgun.
We could encrypt snapshot using asymmetric cryptography
None
Check for authentication. Returns empty response with X-Accel-Redirect header set to snapshot_name location on server.
Request Headers: | |
---|---|
|
|
Status Codes: |
|
None
The feature is intended to improve End User’s security in matter of unauthorized access to sensitive data.
None
User should be already authenticated when executing command in fuelclient:
fuel snapshot
None
None
None
Change will have impact on fuel-qa scripts. In order to make it work, we need to change the way snapshots are downloaded [2].
None
None
Integration tests are required for this change:
The most important thing is to not let End User to download snapshot without authentication.
Snapshot download will not be possible in command-line HTTP clients (like curl) without providing proper authentication token (from keystone) in “X-Auth-Token” header. It might break down scripts which are doing it this way, so it should be mentioned in the documentation.