Comment 2 for bug 944325

Currently, maas has no separation between 'instance' and 'node'. There is no unique information per "instance".

Thus, if I:
  a.) deploy a node
  b.) read oauth credentials from that node
  c.) return that node

I can read the user-data that the new owner provided . user-data might possibly containing sensitive information.

A secondary fallout of this if a node boots into an old installation maas thinks it was deployed and marks it DEPLOYED.