[openstack-dev] Security of Meta-Data

Giuseppe de Candia giuseppe.decandia at gmail.com
Wed Oct 4 15:43:58 UTC 2017


Hi Folks,

I'm still processing all this information - thanks for your help!

--Pino


On Wed, Oct 4, 2017 at 7:58 AM, Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote:
> [...]
> > The recommendation is not to use metadata for security sensitive
> > data (its possible to spoof by setting a X-Forwarded header),
> > please see the following OpenStack Security Note on the topic:
> >
> > https://wiki.openstack.org/wiki/OSSN/OSSN-0074
>
> Well, it's possible as long as the environment is badly
> designed/configured: you deployed nova to expect a proxy, but then
> gave guest instances a way to reach the metadata API without going
> through that proxy. So while it's definitely a risk to be aware of,
> it come pretty close to the need Sean mentions for "solid network
> security on the path between your guests and your nova-API."
> --
> Jeremy Stanley
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171004/3eaa2df2/attachment.html>


More information about the OpenStack-dev mailing list