Documentation: instance image temp url and configdrive can be obtained via unauthorized API endpoint
Bug #1692511 reported by
Yuriy Zveryanskyy
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ironic |
Fix Released
|
High
|
Unassigned | ||
Bug Description
For any node instance temp url and configdrive can be obtained if:
1) The node in DEPLOYWAIT state
2) Person has network access to ironic API (without authorization)
3) Conductor is able to send request to host that is controlled by person above
Obtaining data:
1) Prepare and run simple IPA API simulator on host
2) Send fake heartbeat with address of the host above to ironic API
3) Conductor send prepare image command with data to the host
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Related fix proposed to ironic (master) | #1 |
| summary: |
- Instance image temp url and configdrive can be obtained via unauthorized - API endpoint + Documentation: instance image temp url and configdrive can be obtained + via unauthorized API endpoint |
| Changed in ironic: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| tags: | added: documentation |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on ironic (master) | #2 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Related fix merged to ironic (master) | #3 |
| Changed in ironic: | |
| status: | Triaged → Fix Released |
To post a comment you must log in.
Related fix proposed to branch: master
Review: https:/