Previously, one could update a port's device_id to be that of
another tenant's instance_id and then be able to retrieve that
instance's metadata. In order to prevent this X-Tenant-ID is now
passed in the metadata request to nova and nova then checks that
X-Tenant-ID also matches the tenant_id for the instance against it's
database to ensure it's not being spoofed.
DocImpact - When upgrading OpenStack nova and neturon, neutron should be updated first (and neutron-metadata-agent restarted before nova is upgraded) in order to minimize downtime. This is because there is also a patch to nova which has checks X-Tenant-ID against it's database therefore neutron-metadata-agent needs to pass that before nova is upgraded for metadata to work.
Reviewed: https:/ /review. openstack. org/61439 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=bd4a85d67f0 91382752d75b95f 9cfd076431f30e
Committed: https:/
Submitter: Jenkins
Branch: master
commit bd4a85d67f09138 2752d75b95f9cfd 076431f30e
Author: Aaron Rosen <email address hidden>
Date: Mon Oct 7 15:34:38 2013 -0700
Add X-Tenant-ID to metadata request
Previously, one could update a port's device_id to be that of
another tenant's instance_id and then be able to retrieve that
instance's metadata. In order to prevent this X-Tenant-ID is now
passed in the metadata request to nova and nova then checks that
X-Tenant-ID also matches the tenant_id for the instance against it's
database to ensure it's not being spoofed.
DocImpact - When upgrading OpenStack nova and neturon, neutron
should be updated first (and neutron- metadata- agent
restarted before nova is upgraded) in order to minimize
downtime. This is because there is also a patch to nova
which has checks X-Tenant-ID against it's database
therefore neutron- metadata- agent needs to pass that
before nova is upgraded for metadata to work.
Change-Id: I2b8fa2f561a7f2 914608e68133abf 15efa95015a
Closes-Bug: #1235450