diff options
Diffstat (limited to 'releasenotes/notes/correct-detailed-instance-info-behavior-1375914a30621eca.yaml')
-rw-r--r-- | releasenotes/notes/correct-detailed-instance-info-behavior-1375914a30621eca.yaml | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/releasenotes/notes/correct-detailed-instance-info-behavior-1375914a30621eca.yaml b/releasenotes/notes/correct-detailed-instance-info-behavior-1375914a30621eca.yaml new file mode 100644 index 000000000..6d98cca55 --- /dev/null +++ b/releasenotes/notes/correct-detailed-instance-info-behavior-1375914a30621eca.yaml @@ -0,0 +1,20 @@ +--- +security: + - | + Fixes an issue with the ``/v1/nodes/detail`` endpoint where an + authenticated user could explicitly ask for an ``instance_uuid`` lookup + and the associated node would be returned to the user with sensitive + fields redacted in the result payload if the user did not explicitly have + ``owner`` or ``lessee`` permissions over the node. This is considered a + low-impact low-risk issue as it requires the API consumer to already know + the UUID value of the associated instance, and the returned information + is mainly metadata in nature. More information can be found in + `Storyboard story 2008976 <https://storyboard.openstack.org/#!/story/2008976>`_. +fixes: + - | + Fixes an issue with the ``/v1/nodes/detail`` endpoint where requests + for an explicit ``instance_uuid`` match would not follow the standard + query handling path and thus not be filtered based on policy determined + access level and node level ``owner`` or ``lessee`` fields appropriately. + Additional information can be found in + `story 2008976 <https://storyboard.openstack.org/#!/story/2008976>`_. |