)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"48febf2d22b69e0baf62c816e9a1bfeebef967ed","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"2cca8cfd_2498a8ca","updated":"2023-12-29 22:06:39.000000000","message":"If there\u0027s any other cores with feedback for this spec, we can revise it. Thanks Dmitry!","commit_id":"353d231b810b5192a48534e800ef99a9c4ad2efd"}],"specs/approved/boot-config-api.rst":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"a4b5b2813aa87914b53e55a95053adf8476f4e09","unresolved":true,"context_lines":[{"line_number":87,"context_line":"``\u003cMAC\u003e``"},{"line_number":88,"context_line":"  MAC address of any NIC of a node."},{"line_number":89,"context_line":"``\u003cNAME\u003e``"},{"line_number":90,"context_line":"  Configuration name to request (e.g. ``boot.ipxe``)."},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"The API will find the node by the MAC address, check its provision state and"},{"line_number":93,"context_line":"call into the ``get_boot_config`` RPC on success. On failure, a generic HTTP"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c626f8ba_ec993793","line":90,"updated":"2023-12-13 20:45:12.000000000","message":"Will this have security implications around agent token? Will I be able to, if I know the MAC address of a node, be able to extract the agent token for a given node?\n\nIt feels like we might need to make this some kind of Capability URL, with a temporary key for security, along the lines of what swift does for temporary urls.","commit_id":"353d231b810b5192a48534e800ef99a9c4ad2efd"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"6aa17d7e4a103acb42f6c50e35cb69af305eba93","unresolved":false,"context_lines":[{"line_number":87,"context_line":"``\u003cMAC\u003e``"},{"line_number":88,"context_line":"  MAC address of any NIC of a node."},{"line_number":89,"context_line":"``\u003cNAME\u003e``"},{"line_number":90,"context_line":"  Configuration name to request (e.g. ``boot.ipxe``)."},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"The API will find the node by the MAC address, check its provision state and"},{"line_number":93,"context_line":"call into the ``get_boot_config`` RPC on success. On failure, a generic HTTP"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6726769d_93998fc6","line":90,"in_reply_to":"c626f8ba_ec993793","updated":"2023-12-14 07:32:07.000000000","message":"No implications around agent token, it\u0027s not passed through the iPXE configuration.\n\nWhat\u0027s the point of a temporary key if anyone can read it from the root boot.ipxe (also, it\u0027s not temporary in this sense)?\n\nThis spec only changes one aspect: if previously the configuration was read from the httpd server, now it can also be read from ironic API. Hence my suggestion below to guard this endpoint from being accessed from wrong networks.","commit_id":"353d231b810b5192a48534e800ef99a9c4ad2efd"}]}
