Comment 1 for bug 1681465

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Since this is working as designed and likely only indicates a need for improved documentation (therefore would not get a security advisory issued as there is no patch for downstream users to apply to automatically secure their deployments against the described scenario), I don't think we should bother to discuss it secretly under embargo. I also suspect this is very close to being a duplicate of bug 1435386 (at least in spirit) and ask that you evaluate its resulting documentation update at https://review.openstack.org/433321 to see whether that covers your concerns or could stand to be reiterated in other places in the admin guide, deployment documentation or security handbook.