launchpad-reviewers team mailing list archive

Thread
Date
[Bug 1034318] Re: API calls that return a node leak private data

To: launchpad-reviewers@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1034318@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Jan 2013 19:26:11 -0000
Reply-to: Bug 1034318 <1034318@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package maas - 1.2+bzr1349+dfsg-0ubuntu1

---------------
maas (1.2+bzr1349+dfsg-0ubuntu1) raring; urgency=low

  * New upstream bugfix release. Fixes:
    - The DNS configuration is not created if maas-dns is installed after
      the DNS config has been set up (LP: #1085865).
    - IPMI detection ends up with power_address of 0.0.0.0 (LP: #1064224)
    - Main page slow to load with many nodes (LP: #1066775)
    - maas-cluster-controller doesn't have images for
      provisioning (LP: #1068843)
    - Filestorage is unique to each appserver instance (LP: #1069734)
    - import_pxe_files does not include quantal (LP: #1069850)
    - maas-cli nodes new incomplete documentation (LP: #1070522)
    - DNS forward zone ends up with nonsensical entries (LP: #1070765)
    - The hostname of a node can still be changed once the node is in
      use. (LP: #1070774)
    - The zone name (attached to a cluster controller) can still be changed
      when it contains in-use nodes and DNS is managed. (LP: #1070775)
    - Duplicated prefix in the url used by the CLI (LP: #1075597)
    - Not importing Quantal boot images (LP: #1077180)
    - Nodes are deployed with wrong domain name. (LP: #1078744)
    - src/maasserver/api.py calls request.data.getlist with a 'default'
      parameter. That parameter is not supported by Django 1.3. (LP: #1080673)
    - API calls that return a node leak private data (LP: #1034318)
    - MAAS hostnames should be 5 easily disambiguated characters (LP: #1058998)
    - URI in API description wrong when accessing machine via alternative
      interface. (LP: #1059645)
    - Oops when renaming nodegroup w/o interface (LP: #1077075)
    - Error in log when using 'Start node' button: MAASAPINotFound: No user
      data available for this node. (LP: #1069603)

  [ Raphaël Badin ]
  * debian/maas-dns.postinst: Call write_dns_config (LP: #1085865).
  * debian/maas-dns.postinst: fix permissions and group ownership of
    file /etc/bind/maas/named.conf.rndc.maas. (LP: #1066935)

  [ Julian Edwards ]
  * debian/maas-region-controller.install: Remove installation of maas-gc; it
    is no longer required as upstream no longer stores files in the filesystem.
    (LP: #1069734)
  * debian/maas-cluster-controller.postinst: Ensure that /etc/maas/pserv.yaml
    is updated when reconfiguring. (LP: #1081212)

  [ Andres Rodriguez ]
  * debian/control:
    - maas-cluster-controller Conflicts with tftpd-hpa (LP: #1076028)
    - maas-dns: Conflicts with dnsmasq
    - Drop Dependency on rabbitmq-server for maas-cluster-controller.
      (LP: #1072744)
    - Add conflicts/replaces for maas-region-controller to
      maas-cluster-controller.
  * debian/maas-cluster-controller.config: If URL has been detected, add
    /MAAS if it doesn't contain it. This helps upgrades from versions where
    DEFAULT_MAAS_URL didn't use /MAAS.
  * Install maas-import-pxe-files and related files with
    maas-cluster-controller, as well as configure tgtd, as
    maas-region-controller no longer stores images. Thanks to Jeroen
    Vermuelen.

  [ Gavin Panella ]
  * debian/extras/99-maas: squashfs image download is no longer needed.
  * debian/maas-cluster-controller.install: maas-import-squashfs and its
    configuration file are no longer part of upstream.

  [ Jeroen Vermeulen ]
  * debian/maas-cluster-controller.maas-pserv.upstart: Source maas_cluster.conf
    before starting pserv (tftpd) process.
  * debian/maas-cluster-controller.postinst: Duplicate CLUSTER_UUID setting
    to maas_cluster.conf.
  * Bumped revision number to current 1.2 revision 1342 (requested by rvba).
 -- Andres Rodriguez <andreserl@xxxxxxxxxx>   Tue, 13 Nov 2012 14:58:21 -0500

** Changed in: maas (Ubuntu Raring)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of MAAS
Maintainers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1034318

Title:
  API calls that return a node leak private data

Status in MAAS:
  Fix Released
Status in MAAS 1.2 series:
  Fix Committed
Status in MAAS 12.04-nocobbler series:
  Fix Committed
Status in MAAS trunk series:
  Fix Released
Status in “maas” package in Ubuntu:
  Fix Released
Status in “maas” source package in Precise:
  New
Status in “maas” source package in Quantal:
  New
Status in “maas” source package in Raring:
  Fix Released

Bug description:
  list_allocated, for example, as below.  This might not matter so much
  when we go single tenancy but I still can't see why API users should
  see power_parameters at all.

  "GET /api/1.0/nodes/?op=list_allocated&id=node-6026dfba-e11f-
  11e1-afe8-e4115b13819f HTTP/1.1" 200 696

  Vary: Authorization
  Content-Type: application/json; charset=utf-8

  [
      {
          "status": 6,
          "macaddress_set": [
              {
                  "resource_uri": "/api/1.0/nodes/node-6026dfba-e11f-11e1-afe8-e4115b13819f/macs/e4:11:5b:13:7b:36/",
                  "mac_address": "e4:11:5b:13:7b:36"
              }
          ],
          "power_parameters": {
              "power_address": "10.0.0.10",
              "power_pass": "password",
              "power_user": "admin"
          },
          "netboot": false,
          "hostname": "node7",
          "power_type": "ipmilan",
          "system_id": "node-6026dfba-e11f-11e1-afe8-e4115b13819f",
          "architecture": "amd64",
          "resource_uri": "/api/1.0/nodes/node-6026dfba-e11f-11e1-afe8-e4115b13819f/"
      }
  ]

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1034318/+subscriptions