yahoo-eng-team team mailing list archive

[Nathan Kinder <nkinder@xxxxxxxxxx>]

This was published as OSSN-0025:

  https://wiki.openstack.org/wiki/OSSN/OSSN-0025

** Changed in: ossn
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1354512

Title:
  Anonymous user can download public image through Swift

Status in OpenStack Image Registry and Delivery Service (Glance):
  New
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  When Glance uses Swift as backend, and Swift uses delay_auth_decision
  feature (for temporary urls, for example), anyone can download public
  images anonymously from Swift by direct url.

  Steps to reproduce:
  1 Set
      delay_auth_decision = 1
  in Swift's proxy-server.conf.
  Set
      default_store = swift
      swift_store_multi_tenant = True
      swift_store_create_container_on_put = True
  in Glance's glance-api.conf.

  2 Create a public image.
      glance image-create --name fake_image --file <some_text_file_name> --is-public True
  You may use a text file to reproduce the error for descriptive reasons.
  Use the got image id at the next step.

  3 Download created image by curl.
      curl <swift_endpoint>/glance_<image_id>/<image_id>
  See your file in the output.
  If swift_store_container in your glance-api.conf is not 'glance', use appropriate prefix in the command above.

  Glance set read ACL to '.r:*,.rlistings' for all public images. Thus
  since anyone has access into Swift (by delay_auth_decision parameter),
  anyone can download a public image.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1354512/+subscriptions