← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #13482

[Bug 1252931] Re: Glance registry should not be exposed to users

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/85538
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=ca9c7bbe279e15cd5b6c6e7d4ccb54cb579861e3
Submitter: Jenkins
Branch:    master

commit ca9c7bbe279e15cd5b6c6e7d4ccb54cb579861e3
Author: Tom Fifield <tom@xxxxxxxxxxxxx>
Date:   Sat Apr 5 11:35:54 2014 +0800

    Add a note that the glance-registry is internal
    
    Users could be confused into thinking the glance registry
    is an external-facing service. It is not, and is designed
    with a security model such that it should be protected for
    internal use only.
    
    This patch adds a note to the introduction in the common section
    so it will be included in multiple guides.
    
    Change-Id: Ic540353d82c829475ac6f3455ccccdea32977a4b
    Closes-Bug: 1252931


** Changed in: openstack-manuals
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1252931

Title:
  Glance registry should not be exposed to users

Status in OpenStack Image Registry and Delivery Service (Glance):
  Won't Fix
Status in OpenStack Manuals:
  Fix Released

Bug description:
  Using glance-registry v1 API from stable/havana

  The glance registry will expose the location of the image. If using
  the swift backend this will expose your swift credentials.

  My initial discovery of this was when using a stable/grizzly glance-api. Doing either a glance image-create or glance image-show exposes the location_data information of the image.
  It would seem that the data is being protected at the glance-api level and not the registry level. Havana glance-api protects the data Grizzly glance-api does not.

  I have confirmed this by using a standard users token (with Member
  role) with curl to do a request against the registry (stable/havana)

  curl -H "X-Auth-Token:TOKEN" http://glance-registry.dev:9191/images/f5bf9283-033b-46e1-972d-6884cbae48e5 | python -m json.tool
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   761  100   761    0     0   4542      0 --:--:-- --:--:-- --:--:--  4584
  {
      "image": {
          "checksum": "ad53c72c06a08439f95b527f3184a726", 
          "container_format": "bare", 
          "created_at": "2013-11-11T02:30:35", 
          "deleted": false, 
          "deleted_at": null, 
          "disk_format": "qcow2", 
          "id": "f5bf9283-033b-46e1-972d-6884cbae48e5", 
          "is_public": true, 
          "location": "swift+http://service%3Aglance:XXXSECRETXXX@xxxxxxxxxxxxxxxxxxxx:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5";, 
          "location_data": [
              {
                  "metadata": {}, 
                  "url": "swift+http://service%3Aglance:XXXSECRETXXX@xxxxxxxxxxxxxxxxxxxx:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5";
              }
          ], 
          "min_disk": 0, 
          "min_ram": 0, 
          "name": "raring", 
          "owner": "XXXXXX", 
          "properties": {}, 
          "protected": false, 
          "size": 236322816, 
          "status": "active", 
          "updated_at": "2013-11-11T02:30:48"
      }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1252931/+subscriptions
  Thread PreviousDate PreviousThread Next