931c125982
A malicious user with: * API access normally reserved for the provisioning, cleaning, rescue networks. * Insight about a node, such as a MAC address, or baremetal node UUID. * Insight into the state of the node, such as the access provided to Compute API users, or other Bare Metal API users. Can submit an erroneous ``heartbeat`` to the ironic-api endpoint with a ``callback_url`` that is not of the actual intended agent. This can potentially cause a rescue, cleaning, or deployment operation to be derailed, or at worst commands to be sent to to an endpoint the malicious user controls. Story: 2006773 Task: 37295 Change-Id: I1a5e3c2b34d45c06fb74e82d0f30735ce9041914
11 lines
498 B
YAML
11 lines
498 B
YAML
---
|
|
security:
|
|
- |
|
|
Prevents additional updates of an agent ``callback_url`` through the agent
|
|
heartbeat ``/v1/heartbeat/<node_uuid>`` endpoint as the ``callback_url``
|
|
should remain stable through the cleaning, provisioning, or rescue
|
|
processes. Should anything such as an unexpected agent reboot cause the
|
|
``callback_url``, heartbeat operations will now be ignored.
|
|
More information can be found at
|
|
`story 2006773 <https://storyboard.openstack.org/#!/story/2006773>`_.
|