The internal URL isn't intended to be secret or privileged. It's
intended to be a public endpoint on an internal (unmetered) network
interface.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1271288
Title:
keystone catalog internalURL exposes internal architectural details to
tenants
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
With keystone catalog, unprivileged end-users are able to see the
internalURL.
This allows end-users to see the IP addresses of machines from outside
of the cloud. While not a vulnerability in and of itself, knowledge of
this information could be useful in leveraging attacks.
Possible solutions might be to add middleware to remove the
internalURL from responses or to obscure the URL.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1271288/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
