yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #01990
[Bug 1114821] Re: Can view private images belonging to another user using member-list
** Changed in: glance/grizzly
Importance: Undecided => Critical
** Changed in: glance/grizzly
Status: New => Fix Released
** Changed in: glance/grizzly
Milestone: None => 2013.1
** Changed in: glance/grizzly
Assignee: (unassigned) => Mark Washenberger (markwash)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1114821
Title:
Can view private images belonging to another user using member-list
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in Glance grizzly series:
Fix Released
Bug description:
Description of usecase which causes this bug:
1. ADMIN user (image admin-admin-private has member fake-member-id . you can see the image in image list, you can see the members for the image and for the given member-id you can see the image)
iccha@iccha-dev:~/devstack$ source openrc admin admin
iccha@iccha-dev:~/devstack$ glance image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | admin-admin-private | | | | queued |
| 6e056225-9563-4a0f-895c-c2cdfe83f679 | cirros-0.3.0-x86_64-uec | ami | ami | 25165824 | active |
| c7fd417b-c88e-465b-b185-f2d331acbe94 | cirros-0.3.0-x86_64-uec-kernel | aki | aki | 4731440 | active |
| b50d67a8-5b50-45ed-9530-743499952e77 | cirros-0.3.0-x86_64-uec-ramdisk | ari | ari | 2254249 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
iccha@iccha-dev:~/devstack$ glance member-list --tenant fake-member-id
+--------------------------------------+----------------+-----------+
| Image ID | Member ID | Can Share |
+--------------------------------------+----------------+-----------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | fake-member-id | |
+--------------------------------------+----------------+-----------+
iccha@iccha-dev:~/devstack$ glance member-list --image 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde
+--------------------------------------+----------------+-----------+
| Image ID | Member ID | Can Share |
+--------------------------------------+----------------+-----------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | fake-member-id | |
+--------------------------------------+----------------+-----------+
2. DEMO user ( cannot view image admin-admin-private because its a private image created by admin, cannot view the members of admin-admin-private, but when does a member-list on fake-member-id can see image admin-admin-private 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde listed as a shared image, but this image is supposed to be private and not visible to the user!)
iccha@iccha-dev:~/devstack$ source openrc demo demo
iccha@iccha-dev:~/devstack$ glance image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 6e056225-9563-4a0f-895c-c2cdfe83f679 | cirros-0.3.0-x86_64-uec | ami | ami | 25165824 | active |
| c7fd417b-c88e-465b-b185-f2d331acbe94 | cirros-0.3.0-x86_64-uec-kernel | aki | aki | 4731440 | active |
| b50d67a8-5b50-45ed-9530-743499952e77 | cirros-0.3.0-x86_64-uec-ramdisk | ari | ari | 2254249 | active |
| 5bbd2cf8-c0e7-43a4-b6fc-525c2f007336 | test1 | | | | queued |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
iccha@iccha-dev:~/devstack$ glance --debug member-list --image 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde
curl -i -X GET -H 'X-Auth-Token: 524e0f13f4d94baf8b30bdbf9941109f' -H 'Content-Type: application/json' -H 'User-Agent: python-glanceclient' http://184.106.106.164:9292/v1/images/5c2a93c2-d1b1-4756-8c70-b3d9358f2dde/members
HTTP/1.1 404 Not Found
date: Sun, 03 Feb 2013 20:53:40 GMT
content-length: 120
content-type: text/plain; charset=UTF-8
x-openstack-request-id: req-0e5ee315-310c-403c-9b29-b9d4303f82f4
404 Not Found
The resource could not be found.
Image with identifier 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde not found
Request returned failure status.
404 Not Found
The resource could not be found.
Image with identifier 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde not found (HTTP 404)
iccha@iccha-dev:~/devstack$ glance --debug member-list --tenant fake-member-id
curl -i -X GET -H 'X-Auth-Token: e713a64770744794b775bf7bea266edd' -H 'Content-Type: application/json' -H 'User-Agent: python-glanceclient' http://184.106.106.164:9292/v1/shared-images/fake-member-id
HTTP/1.1 200 OK
date: Sun, 03 Feb 2013 20:53:48 GMT
content-length: 93
content-type: application/json; charset=UTF-8
x-openstack-request-id: req-2473dcbe-5586-4430-8662-15664914f2e5
{"shared_images": [{"image_id":
"5c2a93c2-d1b1-4756-8c70-b3d9358f2dde", "can_share": false}]}
+--------------------------------------+----------------+-----------+
| Image ID | Member ID | Can Share |
+--------------------------------------+----------------+-----------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | fake-member-id | |
+--------------------------------------+----------------+-----------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1114821/+subscriptions
