Comment 57 for bug 1235450
Revision history for this message
| yong sheng gong (gongysh) wrote Re: Metadata is unsecure | #57 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
the problem is that the user can change 'device-id', how about disabling to update the device-id once upon the device-id is assigned value?
with the solution:
In order to fix this issue I believe we need to also pass the tenant-id in the metadata request to nova. When nova receives the request it will now have to query it's database using the instance_id and check that the tenant_id's match. Using the tenant_id solves this issue as the user is not allowed to specify or update this field.
one user can still steal all the instance's metadata belong to the same tenant.