yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1076506] Re: Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Apr 2013 09:46:24 -0000
Reply-to: Bug 1076506 <1076506@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance/grizzly
   Importance: Undecided => Critical

** Changed in: glance/grizzly
       Status: New => Fix Released

** Changed in: glance/grizzly
    Milestone: None => 2013.1

** Changed in: glance/grizzly
     Assignee: (unassigned) => Mark Washenberger (markwash)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1076506

Title:
  Non-admin users can cause public glance images to be deleted from the
  backend storage repository in the v2 api

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance folsom series:
  Fix Released
Status in Glance grizzly series:
  Fix Released
Status in “glance” package in Ubuntu:
  Fix Released
Status in “glance” source package in Quantal:
  Fix Released

Bug description:
  It appears that bug #1065187 also affects the v2 api. From the
  previous description:

  Given a public, non-protected image, a non-admin user can issue a
  delete against that image which may delete the image from the backend
  storage repository. The client will get a 403 unauthorized response,
  but the backend delete method is called prior to checking for those
  permissions on the glance registry.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1076506/+subscriptions