25cc871450
A malicious user with:
* API access normally reserved for the provisioning,
cleaning, rescue networks.
* Insight about a node, such as a MAC address, or baremetal node
UUID.
* Insight into the state of the node, such as the access provided
to Compute API users, or other Bare Metal API users.
Can submit an erroneous ``heartbeat`` to the ironic-api endpoint
with a ``callback_url`` that is not of the actual intended agent.
This can potentially cause a rescue, cleaning, or deployment
operation to be derailed, or at worst commands to be sent to
to an endpoint the malicious user controls.
Story: 2006773
Task: 37295
Change-Id: I1a5e3c2b34d45c06fb74e82d0f30735ce9041914
(cherry picked from commit
|
||
---|---|---|
.. | ||
__init__.py | ||
allocation.py | ||
bios.py | ||
chassis.py | ||
collection.py | ||
conductor.py | ||
deploy_template.py | ||
driver.py | ||
event.py | ||
node.py | ||
notification_utils.py | ||
port.py | ||
portgroup.py | ||
ramdisk.py | ||
state.py | ||
types.py | ||
utils.py | ||
versions.py | ||
volume_connector.py | ||
volume_target.py | ||
volume.py |