Comment 72 for bug 1235450

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/havana)

Reviewed: https://review.openstack.org/61435
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=af2f823107010933ecd94a9c938f8b739baaecb7
Submitter: Jenkins
Branch: stable/havana

commit af2f823107010933ecd94a9c938f8b739baaecb7
Author: Aaron Rosen <email address hidden>
Date: Mon Oct 7 13:33:31 2013 -0700

    Prevent spoofing instance_id from neutron to nova

    Previously, one could update a port's device_id in neutron to be
    that of another tenant's instance_id and then be able to retrieve
    that instance's metadata. This patch prevents this from occurring by
    checking that X-Tenant-ID received from the metadata request matches
    the tenant_id in the nova database.

    DocImpact - This patch is dependent on another patch in neutron
                which adds X-Tenant-ID to the request. Therefore to
                minimize downtime one should upgrade Neutron first (then
                restart neutron-metadata-agent) and lastly update nova.

    Change-Id: I93bf662797c3986324ca2099b403833c2e990fb4
    Closes-Bug: #1235450