We believe that the method used in Nova-Diablo to attach volumes has a security vulnerability that could enable a rogue VM access to other users' volumes. In Diablo: The API request is passed directly from the API node to the Nova Compute node where it calls the driver specific method to attach the volume. While the API request is authenticated at the API node, this authentication is not enforced at the Compute node. It is theoretically possible for a rogue VM to take control of its host. In such a scenario it could potentially attach, and read, erase etc, any user's volume. In the case where storage is via a SAN type solution, and the nova-volume service is not running on the same host as nova-compute, we would like add a path to the execution of the request that first calls a driver method on the Nova Volume node that can be used to enable access to the volume from the destination Compute node. In the case where this method has not been called for a specific volume/compute host combination, the SAN will be able to block access requests to other volumes, narrowing the amount of accessible data considerably. In the case of existing volume drivers, this will be a no-op and no code changes are required of them.
Monday October 3, 2011 5:30pm - 5:55pm EDT
Salon A
