On 06/27/18 11:20, Matt Riedemann wrote: > To be clear, this is exposing the exact same hashed host+project_id > value via the metadata API that you can already get, as a non-admin > user, from the compute REST API: > > https://github.com/openstack/nova/blob/c8b93fa2493dce82ef4c0b1e7a503ba9b81c2e86/nova/api/openstack/compute/views/servers.py#L135 > > So I don't think it's a security issue at all. I'm not sure I understand this rationale. Strictly speaking, I would think that in order for this to be true, the set of authenticated control plane users would have to always include the set of users who can read the metadata from a guest. Which I'm pretty sure is not true in the general case. Am I missing something? -- Michael Glasgow