On 2017-10-06 13:49:43 -0500 (-0500), Giuseppe de Candia wrote: > Isn't user-data by definition available via the Metadata API, > which isn't considered secure: > https://wiki.openstack.org/wiki/OSSN/OSSN-0074 [...]
It depends on who you are. If you're the one deploying/running nova then you can take steps to make sure you set the environment up correctly so that won't be a problem. The background on OSSN-0074 is that if you mis-configure the metadata service or do a bad job designing the network it's on, then unauthorized users can get access to others' metadata. The OSSN is sensationalizing the matter in an effort to get those deploying or using OpenStack to take notice and double-check their settings and network design, but the fundamental disconnect is that if you enable use_forwarded_for in the config then you'd better have an actual proxy fronting the service which (as they usually do) removes or rewrites any X-Forwarded-For header to its own IP address. This is basic network operations knowledge, but not everyone running OpenStack is careful to consider the consequences of accidentally enabling a "feature" they're not relying on. See https://launchpad.net/bugs/1563954 for the gory details. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
