Previously, one could update a port's device_id in neutron to be
that of another tenant's instance_id and then be able to retrieve
that instance's metadata. This patch prevents this from occurring by
checking that X-Tenant-ID received from the metadata request matches
the tenant_id in the nova database.
DocImpact - This patch is dependent on another patch in neutron which adds X-Tenant-ID to the request. Therefore to minimize downtime one should upgrade Neutron first (then restart neutron-metadata-agent) and lastly update nova.
Reviewed: https:/ /review. openstack. org/61428 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=bce36e9bdb1 fcb9658f7b684d1 60e656e88d816c
Committed: https:/
Submitter: Jenkins
Branch: master
commit bce36e9bdb1fcb9 658f7b684d160e6 56e88d816c
Author: Aaron Rosen <email address hidden>
Date: Mon Oct 7 13:33:31 2013 -0700
Prevent spoofing instance_id from neutron to nova
Previously, one could update a port's device_id in neutron to be
that of another tenant's instance_id and then be able to retrieve
that instance's metadata. This patch prevents this from occurring by
checking that X-Tenant-ID received from the metadata request matches
the tenant_id in the nova database.
DocImpact - This patch is dependent on another patch in neutron
which adds X-Tenant-ID to the request. Therefore to
minimize downtime one should upgrade Neutron first (then
restart neutron- metadata- agent) and lastly update nova.
Change-Id: I93bf662797c398 6324ca2099b4038 33c2e990fb4
Closes-Bug: #1235450