[openstack-dev] Security of Meta-Data
Jeremy Stanley
fungi at yuggoth.org
Wed Oct 4 12:58:20 UTC 2017
On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote:
[...]
> The recommendation is not to use metadata for security sensitive
> data (its possible to spoof by setting a X-Forwarded header),
> please see the following OpenStack Security Note on the topic:
>
> https://wiki.openstack.org/wiki/OSSN/OSSN-0074
Well, it's possible as long as the environment is badly
designed/configured: you deployed nova to expect a proxy, but then
gave guest instances a way to reach the metadata API without going
through that proxy. So while it's definitely a risk to be aware of,
it come pretty close to the need Sean mentions for "solid network
security on the path between your guests and your nova-API."
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171004/e7efac2f/attachment.sig>
More information about the OpenStack-dev
mailing list