MAAS

previous owner of node can use oauth creds to retrieve current owner's user-data

Bug #1507586 reported by Scott Moser
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
Critical
Gavin Panella
MAAS 1.9.0

Bug Description

Currently, maas has no separation between 'instance' and 'node'. There is no unique information per "instance".

Thus, if I:
  a.) deploy a node
  b.) read oauth credentials from that node
  c.) return that node

I can read the user-data that the new owner provided . user-data might possibly contain sensitive information.

A secondary fallout of this if a node boots into an old installation maas thinks it was deployed and marks it DEPLOYED.

Related bugs:
 * bug 944325: no separation of instance id from node id

See original description

Related branches

lp:~allenap/maas/node-oauth-creds
Andres Rodriguez (community): Needs Information
Blake Rouse (community): Approve
Diff: 536 lines (+181/-72)
12 files modified
src/maasserver/models/interface.py (+19/-14)
src/maasserver/models/node.py (+12/-14)
src/maasserver/models/signals/__init__.py (+5/-3)
src/maasserver/models/signals/nodes.py (+37/-0)
src/maasserver/models/signals/tests/test_nodes.py (+74/-0)
src/maasserver/tests/test_commands_edit_named_options.py (+1/-1)
src/maasserver/tests/test_forms_nodegroup.py (+4/-0)
src/maasserver/utils/__init__.py (+0/-17)
src/maasserver/utils/tests/test_utils.py (+1/-17)
src/maasserver/websockets/tests/test_listener.py (+4/-0)
src/metadataserver/models/nodekey.py (+17/-6)
src/metadataserver/models/tests/test_nodekey.py (+7/-0)
Scott Moser (smoser)
summary: - previous occupent of node can use oauth creds to retrieve current
- owner's user-data
+ previous owner of node can use oauth creds to retrieve current owner's
+ user-data
Blake Rouse (blake-rouse)
Changed in maas:
status: New → Triaged
importance: Undecided → High
milestone: none → 1.9.0
Andres Rodriguez (andreserl)
Changed in maas:
importance: High → Critical
Scott Moser (smoser)
description: updated
Gavin Panella (allenap)
Changed in maas:
assignee: nobody → Gavin Panella (allenap)
status: Triaged → In Progress
Gavin Panella (allenap)
Changed in maas:
status: In Progress → Fix Committed
Andres Rodriguez (andreserl)
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.