The internal URL isn't intended to be secret or privileged. It's intended to be a public endpoint on an internal (unmetered) network interface.
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1271288 Title: keystone catalog internalURL exposes internal architectural details to tenants Status in OpenStack Identity (Keystone): Invalid Bug description: With keystone catalog, unprivileged end-users are able to see the internalURL. This allows end-users to see the IP addresses of machines from outside of the cloud. While not a vulnerability in and of itself, knowledge of this information could be useful in leveraging attacks. Possible solutions might be to add middleware to remove the internalURL from responses or to obscure the URL. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1271288/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp