Nova API exposes hostId to non-admin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
When querying the details of a VM with a non-admin users, the hostId is included in the list.
This gives visibility to the end user of the spread of his/her tests among physical machines, and I think it shall only be visible to system admins.
REQ: curl -i http://[ip-masked]
RESP:{'date': 'Thu, 24 Nov 2011 10:24:37 GMT', 'status': '200', 'content-length': '902', 'content-type': 'application/json', 'content-location': 'http://[ip-masked]
security vulnerability: | yes → no |
visibility: | private → public |
Changed in nova: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Changed in nova: | |
status: | Confirmed → Opinion |
This was an explicit design decision of the Openstack API. If you can explain how this might be harmful, I'd love to hear it.