On 06/27/18 11:20, Matt Riedemann wrote:
To be clear, this is exposing the exact same hashed host+project_id
value via the metadata API that you can already get, as a non-admin
user, from the compute REST API:
https://github.com/openstack/nova/blob/c8b93fa2493dce82ef4c0b1e7a503ba9b81c2e86/nova/api/openstack/compute/views/servers.py#L135
So I don't think it's a security issue at all.
I'm not sure I understand this rationale. Strictly speaking, I would
think that in order for this to be true, the set of authenticated
control plane users would have to always include the set of users who
can read the metadata from a guest. Which I'm pretty sure is not true
in the general case.
Am I missing something?
--
Michael Glasgow
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
