previous owner of node can use oauth creds to retrieve current owner's user-data

Bug #1507586 reported by Scott Moser on 2015-10-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Critical
Gavin Panella

Bug Description

Currently, maas has no separation between 'instance' and 'node'. There is no unique information per "instance".

Thus, if I:
  a.) deploy a node
  b.) read oauth credentials from that node
  c.) return that node

I can read the user-data that the new owner provided . user-data might possibly contain sensitive information.

A secondary fallout of this if a node boots into an old installation maas thinks it was deployed and marks it DEPLOYED.

Related bugs:
 * bug 944325: no separation of instance id from node id

Related branches

Scott Moser (smoser) on 2015-10-19
summary: - previous occupent of node can use oauth creds to retrieve current
- owner's user-data
+ previous owner of node can use oauth creds to retrieve current owner's
+ user-data
Changed in maas:
status: New → Triaged
importance: Undecided → High
milestone: none → 1.9.0
Changed in maas:
importance: High → Critical
Scott Moser (smoser) on 2015-10-22
description: updated
Gavin Panella (allenap) on 2015-10-26
Changed in maas:
assignee: nobody → Gavin Panella (allenap)
status: Triaged → In Progress
Gavin Panella (allenap) on 2015-10-30
Changed in maas:
status: In Progress → Fix Committed
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers