yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1065187] Re: Non-admin users can cause public glance images to be deleted from the backend storage repository

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Apr 2013 09:34:45 -0000
Reply-to: Bug 1065187 <1065187@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** No longer affects: glance/grizzly

** Changed in: glance/grizzly
   Importance: Undecided => Critical

** Changed in: glance/grizzly
       Status: New => Fix Released

** Changed in: glance/grizzly
    Milestone: None => 2013.1

** Changed in: glance/grizzly
     Assignee: (unassigned) => Russell Bryant (russellb)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1065187

Title:
  Non-admin users can cause public glance images to be deleted from the
  backend storage repository

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance essex series:
  Fix Committed
Status in Glance folsom series:
  Fix Released
Status in Glance grizzly series:
  Fix Released
Status in “glance” package in Ubuntu:
  Fix Released
Status in “glance” source package in Quantal:
  Fix Released

Bug description:
  Given a public, non-protected image, a non-admin user can issue a
  delete against that image which may delete the image from the backend
  storage repository.  The client will get a 403 unauthorized response,
  but the backend delete method is called prior to checking for those
  permissions on the glance registry.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1065187/+subscriptions