diff options
author | Aaron Rosen <arosen@nicira.com> | 2013-10-07 13:33:31 -0700 |
---|---|---|
committer | Aaron Rosen <aaronorosen@gmail.com> | 2013-12-11 12:38:47 -0800 |
commit | af2f823107010933ecd94a9c938f8b739baaecb7 (patch) | |
tree | f4747c4e814a29e037a4448bb1fc2352ea8a7e3f /tools/lintstack.sh | |
parent | 5a9551d91b30af3da122bf9516ec346d8c725ee4 (diff) | |
download | nova-af2f823107010933ecd94a9c938f8b739baaecb7.tar.gz |
Prevent spoofing instance_id from neutron to nova
Previously, one could update a port's device_id in neutron to be
that of another tenant's instance_id and then be able to retrieve
that instance's metadata. This patch prevents this from occurring by
checking that X-Tenant-ID received from the metadata request matches
the tenant_id in the nova database.
DocImpact - This patch is dependent on another patch in neutron
which adds X-Tenant-ID to the request. Therefore to
minimize downtime one should upgrade Neutron first (then
restart neutron-metadata-agent) and lastly update nova.
Change-Id: I93bf662797c3986324ca2099b403833c2e990fb4
Closes-Bug: #1235450
Diffstat (limited to 'tools/lintstack.sh')
0 files changed, 0 insertions, 0 deletions