21 lines
1.1 KiB
YAML
21 lines
1.1 KiB
YAML
---
|
|
security:
|
|
- |
|
|
Fixes an issue with the ``/v1/nodes/detail`` endpoint where an
|
|
authenticated user could explicitly ask for an ``instance_uuid`` lookup
|
|
and the associated node would be returned to the user with sensitive
|
|
fields redacted in the result payload if the user did not explicitly have
|
|
``owner`` or ``lessee`` permissions over the node. This is considered a
|
|
low-impact low-risk issue as it requires the API consumer to already know
|
|
the UUID value of the associated instance, and the returned information
|
|
is mainly metadata in nature. More information can be found in
|
|
`Storyboard story 2008976 <https://storyboard.openstack.org/#!/story/2008976>`_.
|
|
fixes:
|
|
- |
|
|
Fixes an issue with the ``/v1/nodes/detail`` endpoint where requests
|
|
for an explicit ``instance_uuid`` match would not follow the standard
|
|
query handling path and thus not be filtered based on policy determined
|
|
access level and node level ``owner`` or ``lessee`` fields appropriately.
|
|
Additional information can be found in
|
|
`story 2008976 <https://storyboard.openstack.org/#!/story/2008976>`_.
|