8799cb942a
Previously, one could update a port's device_id to be that of
another tenant's instance_id and then be able to retrieve that
instance's metadata. In order to prevent this X-Tenant-ID is now
passed in the metadata request to nova and nova then checks that
X-Tenant-ID also matches the tenant_id for the instance against it's
database to ensure it's not being spoofed.
DocImpact - When upgrading OpenStack nova and neturon, neutron
should be updated first (and neutron-metadata-agent
restarted before nova is upgraded) in order to minimize
downtime. This is because there is also a patch to nova
which has checks X-Tenant-ID against it's database
therefore neutron-metadata-agent needs to pass that
before nova is upgraded for metadata to work.
Change-Id: I2b8fa2f561a7f2914608e68133abf15efa95015a
Closes-Bug: #1235450
|
||
|---|---|---|
| .. | ||
| __init__.py | ||
| agent.py | ||
| namespace_proxy.py | ||