426a306fb5
We currently mask passwords in driver_info for all API responses, except for agent lookups. This is because driver_vendor_passthru just expects a dict to return as JSON in the response, and doesn't modify it at all. Change lookup to follow the defined policy when returning the node object in the response, the same way we do for other API responses. Co-authored-by: Jim Rollenhagen <jim@jimrollenhagen.com> Change-Id: Ib19d2f86d3527333e905fdbf1f09fc3dc8b8c5a7 Closes-Bug: #1572796
12 lines
677 B
YAML
12 lines
677 B
YAML
---
|
|
security:
|
|
- A critical security vulnerability (CVE-2016-4985) was fixed in this
|
|
release. Previously, a client with network access to the ironic-api service
|
|
was able to bypass Keystone authentication and retrieve all information
|
|
about any Node registered with Ironic, if they knew (or were able to guess)
|
|
the MAC address of a network card belonging to that Node, by sending a
|
|
crafted POST request to the /v1/drivers/$DRIVER_NAME/vendor_passthru
|
|
resource. Ironic's policy.json configuration is now respected when
|
|
responding to this request such that, if passwords should be masked for
|
|
other requests, they are also masked for this request.
|