review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Aaron Rosen <arosen@nicira.com>
	Mon, 7 Oct 2013 22:34:38 +0000 (15:34 -0700)
committer	Jeremy Stanley <fungi@yuggoth.org>
	Wed, 11 Dec 2013 14:45:50 +0000 (14:45 +0000)
commit	bd4a85d67f091382752d75b95f9cfd076431f30e
tree	6aad1ec6e1bccfc48b10afe091a9dd17ef4d3ddf	tree \| snapshot
parent	dbd6d454574af0911152fbeb5d687df6679c7436	commit \| diff

Add X-Tenant-ID to metadata request

Previously, one could update a port's device_id to be that of
another tenant's instance_id and then be able to retrieve that
instance's metadata. In order to prevent this X-Tenant-ID is now
passed in the metadata request to nova and nova then checks that
X-Tenant-ID also matches the tenant_id for the instance against it's
database to ensure it's not being spoofed.

DocImpact - When upgrading OpenStack nova and neturon, neutron
            should be updated first (and neutron-metadata-agent
            restarted before nova is upgraded) in order to minimize
            downtime. This is because there is also a patch to nova
            which has checks X-Tenant-ID against it's database
            therefore neutron-metadata-agent needs to pass that
            before nova is upgraded for metadata to work.

Change-Id: I2b8fa2f561a7f2914608e68133abf15efa95015a
Closes-Bug: #1235450

neutron/agent/metadata/agent.py		diff \| blob \| history
neutron/tests/unit/test_metadata_agent.py		diff \| blob \| history