)]}'
{"specs/approved/predefined-system-hw-config-single-step.rst":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"e1743c0ae8d6607e664f27cf518597982ff89c91","unresolved":true,"context_lines":[{"line_number":689,"context_line":"containers provided by users. In multi-tenant, end-user accessible Ironic API"},{"line_number":690,"context_line":"this could lead to accessing data not belonging to the tenant by, e.g.,"},{"line_number":691,"context_line":"guessing or somehow finding out another tenant\u0027s URL and feeding that to ironic"},{"line_number":692,"context_line":"that has access to it while end-user does not. This vulnerability needs to be"},{"line_number":693,"context_line":"addressed separately in future releases. There are possibly other use cases"},{"line_number":694,"context_line":"that are affected by this limitation and would benefit from addressing this."},{"line_number":695,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a508958_af360ada","line":692,"range":{"start_line":692,"start_character":52,"end_line":692,"end_character":65},"updated":"2021-03-15 18:21:42.000000000","message":"Lets call it an issue. It is not strictly a vulnerability. More a deficiency","commit_id":"3ae89b380575bc13667c1ad39fad80bb5b3fcbc9"},{"author":{"_account_id":27909,"name":"Aija Jauntēva","email":"code@clusums.eu","username":"ajya"},"change_message_id":"0790988c866fab3993df99f0408554ec1a366760","unresolved":false,"context_lines":[{"line_number":689,"context_line":"containers provided by users. In multi-tenant, end-user accessible Ironic API"},{"line_number":690,"context_line":"this could lead to accessing data not belonging to the tenant by, e.g.,"},{"line_number":691,"context_line":"guessing or somehow finding out another tenant\u0027s URL and feeding that to ironic"},{"line_number":692,"context_line":"that has access to it while end-user does not. This vulnerability needs to be"},{"line_number":693,"context_line":"addressed separately in future releases. There are possibly other use cases"},{"line_number":694,"context_line":"that are affected by this limitation and would benefit from addressing this."},{"line_number":695,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"0c9797c4_7e8d41ba","line":692,"range":{"start_line":692,"start_character":52,"end_line":692,"end_character":65},"in_reply_to":"5a508958_af360ada","updated":"2021-03-15 18:26:26.000000000","message":"I actually had \"issue\" first, but then it seemed as generic as just having This, but, ok, vulnerability is also a bit too strong word here :)","commit_id":"3ae89b380575bc13667c1ad39fad80bb5b3fcbc9"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7e14b1e800dd1281e87803900c7428612c2ce08a","unresolved":true,"context_lines":[{"line_number":686,"context_line":""},{"line_number":687,"context_line":"As cleaning/deploying is executed by ironic service account and not user that"},{"line_number":688,"context_line":"initiated clean or deploy, ironic service account needs access to used Swift"},{"line_number":689,"context_line":"containers provided by users. In multi-tenant, end-user accessible Ironic API"},{"line_number":690,"context_line":"this could lead to accessing data not belonging to the tenant by, e.g.,"},{"line_number":691,"context_line":"guessing or somehow finding out another tenant\u0027s URL and feeding that to ironic"},{"line_number":692,"context_line":"that has access to it while end-user does not. This issue needs to be addressed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ddaf12a1_aa618f16","line":689,"range":{"start_line":689,"start_character":30,"end_line":689,"end_character":45},"updated":"2021-03-18 21:22:08.000000000","message":"In multi-tenant environment,","commit_id":"bb5604d22ecd3b3b6f9e75b8134307f1017cb5b8"},{"author":{"_account_id":27909,"name":"Aija Jauntēva","email":"code@clusums.eu","username":"ajya"},"change_message_id":"8227a9b30936d09335e2939474630ba6ea7e222a","unresolved":true,"context_lines":[{"line_number":686,"context_line":""},{"line_number":687,"context_line":"As cleaning/deploying is executed by ironic service account and not user that"},{"line_number":688,"context_line":"initiated clean or deploy, ironic service account needs access to used Swift"},{"line_number":689,"context_line":"containers provided by users. In multi-tenant, end-user accessible Ironic API"},{"line_number":690,"context_line":"this could lead to accessing data not belonging to the tenant by, e.g.,"},{"line_number":691,"context_line":"guessing or somehow finding out another tenant\u0027s URL and feeding that to ironic"},{"line_number":692,"context_line":"that has access to it while end-user does not. This issue needs to be addressed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c099c143_9b5a53b2","line":689,"range":{"start_line":689,"start_character":30,"end_line":689,"end_character":45},"in_reply_to":"ddaf12a1_aa618f16","updated":"2021-03-25 09:50:49.000000000","message":"this was changed as asked in the original patch - https://review.opendev.org/c/openstack/ironic-specs/+/740721/20/specs/approved/predefined-system-hw-config-single-step.rst#690","commit_id":"bb5604d22ecd3b3b6f9e75b8134307f1017cb5b8"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"7e14b1e800dd1281e87803900c7428612c2ce08a","unresolved":true,"context_lines":[{"line_number":689,"context_line":"containers provided by users. In multi-tenant, end-user accessible Ironic API"},{"line_number":690,"context_line":"this could lead to accessing data not belonging to the tenant by, e.g.,"},{"line_number":691,"context_line":"guessing or somehow finding out another tenant\u0027s URL and feeding that to ironic"},{"line_number":692,"context_line":"that has access to it while end-user does not. This issue needs to be addressed"},{"line_number":693,"context_line":"separately in future releases. There are possibly other use cases that are"},{"line_number":694,"context_line":"affected by this limitation and would benefit from addressing this."},{"line_number":695,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"cd1f8ddd_bf41c5bd","line":692,"range":{"start_line":692,"start_character":52,"end_line":692,"end_character":58},"updated":"2021-03-18 21:22:08.000000000","message":"no preference on the wording from me.","commit_id":"bb5604d22ecd3b3b6f9e75b8134307f1017cb5b8"},{"author":{"_account_id":7160,"name":"arkady kanevsky","email":"akanevsk@redhat.com","username":"arkady"},"change_message_id":"504d2bf8f6cffb7cb19dba0d65a76c487fc31982","unresolved":true,"context_lines":[{"line_number":490,"context_line":"be Swift with option to configure Web server. In future more options can be"},{"line_number":491,"context_line":"added."},{"line_number":492,"context_line":""},{"line_number":493,"context_line":"``[molds]user`` and ``[molds]password`` is used when Web server is configured"},{"line_number":494,"context_line":"as storage backend. Ironic will use this to encode it in Base64 and add as"},{"line_number":495,"context_line":"header to HTTP requests. By default they will be empty indicating that no"},{"line_number":496,"context_line":"authorization used."},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"The workflow for getting stored configuration data:"},{"line_number":499,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"f839d181_e7bb73ea","line":496,"range":{"start_line":493,"start_character":0,"end_line":496,"end_character":19},"updated":"2021-03-30 01:11:42.000000000","message":"And when Web server is not configured and molds are stored in Swift storage directly what authorization is used? \nOr is that the issue that will be addressed in the future as stated below?","commit_id":"fd3dd8f9ea110e2e365e8e7edd562ce8575e60b0"},{"author":{"_account_id":27909,"name":"Aija Jauntēva","email":"code@clusums.eu","username":"ajya"},"change_message_id":"3bac5279d6808b5df785530485f9d05fc152985a","unresolved":true,"context_lines":[{"line_number":490,"context_line":"be Swift with option to configure Web server. In future more options can be"},{"line_number":491,"context_line":"added."},{"line_number":492,"context_line":""},{"line_number":493,"context_line":"``[molds]user`` and ``[molds]password`` is used when Web server is configured"},{"line_number":494,"context_line":"as storage backend. Ironic will use this to encode it in Base64 and add as"},{"line_number":495,"context_line":"header to HTTP requests. By default they will be empty indicating that no"},{"line_number":496,"context_line":"authorization used."},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"The workflow for getting stored configuration data:"},{"line_number":499,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"4906172e_97d12856","line":496,"range":{"start_line":493,"start_character":0,"end_line":496,"end_character":19},"in_reply_to":"f839d181_e7bb73ea","updated":"2021-03-30 08:01:55.000000000","message":"it\u0027s not stated explicitly, but for Swift Ironic service account is used (see ln 464), this has credentials and code already in ironic for other use cases.\nYes, this is the issue that will need addressing in the future.","commit_id":"fd3dd8f9ea110e2e365e8e7edd562ce8575e60b0"}]}
