yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1271288] Re: keystone catalog internalURL exposes internal architectural details to tenants

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1271288@xxxxxxxxxxxxxxxxxx>
Date: Sat, 25 Jan 2014 03:15:16 -0000
Reply-to: Bug 1271288 <1271288@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The internal URL isn't intended to be secret or privileged. It's
intended to be a public endpoint on an internal (unmetered) network
interface.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1271288

Title:
  keystone catalog internalURL exposes internal architectural details to
  tenants

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  With keystone catalog, unprivileged end-users are able to see the
  internalURL.

  This allows end-users to see the IP addresses of machines from outside
  of the cloud. While not a vulnerability in and of itself, knowledge of
  this information could be useful in leveraging attacks.

  Possible solutions might be to add middleware to remove the
  internalURL from responses or to obscure the URL.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1271288/+subscriptions