Open Stack

On 6/27/2018 10:13 AM, Jay Pipes wrote:
> I'm -2'd the patch in question because of these concerns about crossing 
> the line between administrative and guest/virtual domains. It may seem 
> like a very trivial patch, but from what I can tell, it would be a very 
> big departure from the types of information we have traditionally 
> allowed in the metadata API.

To be clear, this is exposing the exact same hashed host+project_id 
value via the metadata API that you can already get, as a non-admin 
user, from the compute REST API:

https://github.com/openstack/nova/blob/c8b93fa2493dce82ef4c0b1e7a503ba9b81c2e86/nova/api/openstack/compute/views/servers.py#L135

So I don't think it's a security issue at all.

The one thing I would be a bit worried about is that the value would be 
stale from the config drive if the instance is live migrated. We also 
expose the availability zone the instance is in from the config drive, 
but as far as I know you can't live migrate your way into another 
availability zone (unless of course the admin force live migrates to 
another host in another AZ and bypasses the scheduler).

-- 

Thanks,

Matt