[openstack-dev] Security of Meta-Data

Luke Hinds lhinds at redhat.com
Wed Oct 4 09:47:02 UTC 2017

On Tue, Oct 3, 2017 at 11:00 PM, Giuseppe de Candia <
giuseppe.decandia at gmail.com> wrote:

> Hi Folks,
> Are there any documented conventions regarding the security model for
> MetaData?
> Note that CloudInit allows passing user and ssh service public/private
> keys via MetaData service (or ConfigDrive). One assumes it must be secure,
> but I have not found a security model or documentation.
> My understanding of the Neutron reference implementation is that MetaData
> requests are HTTP (not HTTPS) and go from the VM to the MetaData proxy on
> the Network Node (after which they are proxied to Nova meta-data API
> server). The path from VM to Network Node using HTTP cannot guarantee
> confidentiality and is also susceptible to Man-in-the-Middle attacks.
> Some Neutron drivers proxy Metadata requests locally from the node hosting
> the VM that makes the query. I have mostly seen this presented/motivated as
> a way of removing dependency on the Network node, but it should also
> increase security. Yet, I have not seen explicit discussions of the
> security model, nor any attempt to set a standard for security of the
> meta-data.
> Finally, there do not seem to be granular controls over what meta-data is
> presented over ConfigDrive (when enabled) vs. meta-data REST API. As an
> example, Nova vendor data is presented over both, if both are enabled;
> config drive is presumably more secure.
> thanks,
> Pino
The recommendation is not to use metadata for security sensitive data (its
possible to spoof by setting a X-Forwarded header), please see the
following OpenStack Security Note on the topic:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171004/34e9cf08/attachment.html>

More information about the OpenStack-dev mailing list