launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #13663
[Bug 1034318] Re: API calls that return a node leak private data
Fixing this is as simple as not including 'power_parameters' in the list
of the fields included when a node is serialized.
=== modified file 'src/maasserver/api.py'
--- src/maasserver/api.py 2012-10-19 13:55:51 +0000
+++ src/maasserver/api.py 2012-10-24 12:07:57 +0000
@@ -436,7 +436,6 @@
'status',
'netboot',
'power_type',
- 'power_parameters',
'tag_names',
)
** Tags added: trivial
--
You received this bug notification because you are a member of MAAS
Maintainers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1034318
Title:
API calls that return a node leak private data
Status in MAAS:
Triaged
Status in MAAS 1.2 series:
Triaged
Status in MAAS 12.04-nocobbler series:
Triaged
Status in MAAS trunk series:
Triaged
Bug description:
list_allocated, for example, as below. This might not matter so much
when we go single tenancy but I still can't see why API users should
see power_parameters at all.
"GET /api/1.0/nodes/?op=list_allocated&id=node-6026dfba-e11f-
11e1-afe8-e4115b13819f HTTP/1.1" 200 696
Vary: Authorization
Content-Type: application/json; charset=utf-8
[
{
"status": 6,
"macaddress_set": [
{
"resource_uri": "/api/1.0/nodes/node-6026dfba-e11f-11e1-afe8-e4115b13819f/macs/e4:11:5b:13:7b:36/",
"mac_address": "e4:11:5b:13:7b:36"
}
],
"power_parameters": {
"power_address": "10.0.0.10",
"power_pass": "password",
"power_user": "admin"
},
"netboot": false,
"hostname": "node7",
"power_type": "ipmilan",
"system_id": "node-6026dfba-e11f-11e1-afe8-e4115b13819f",
"architecture": "amd64",
"resource_uri": "/api/1.0/nodes/node-6026dfba-e11f-11e1-afe8-e4115b13819f/"
}
]
To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1034318/+subscriptions
