Comment 51 for bug 1235450

Hi Jeremy,

Nope a neturon router is actually not something that nova manages.

Here's the whole history to this bug. Back in Folsom times or (if using nova-network) the way that metadata works is that nova would look at the source address from the http get request to 169.254.169.254. Since neutron allows you to have overlapping ip_addresses using the source_ip address would no longer work because that was no longer unique. To fix this issue the neutron-metadata-agent was created. This agent intercepts requests to the metadata server at the neutron router. Since we do not allow overlapping ip addresses to be attached to the same router we are able to determine which port made the metadata request. When a metadata request comes in the neutron metadata agent would query neutron (using the source_ip) for the port's device_id(which matches the nova-instance-id) and inserted that as the X-Instance-ID in the metadata request to nova.

Since the device_id on a neutron port is update-able as a tenant, a tenant can change the device_id on his port to any instance_id to extract that instances metadata. The patches attached fix this issue by also passing the tenant_id in the metadata request. This is something that the tenant is not able to change. Then the tenant_id is also check on the nova side to make sure that they match. This ensures that one cannot get around this by spoofing.