yahoo-eng-team team mailing list archive

[Inessa Vasilevskaya <ivasilevskaya@xxxxxxxxxxxx>]

Public bug reported:

I was playing with the devstack environment and noticed an interesting
"feature":

The user can send requests directly to the registry server. All he needs
to know is the address/port glance-registry is launched at.

The following request
curl -v localhost:9191/images --header "X-Auth-Token: YOUR-TOKEN-HERE" [header can be omitted if api/registry servers are launched with noauth flavors]

results in 200 OK.

I'm just wondering if this is a problem to be considered at deployment
time (making registry server unavailable from the outside) or a thing to
consider for the developers as well.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1452206

Title:
  User can send requests directly to glance registry server

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  I was playing with the devstack environment and noticed an interesting
  "feature":

  The user can send requests directly to the registry server. All he
  needs to know is the address/port glance-registry is launched at.

  The following request
  curl -v localhost:9191/images --header "X-Auth-Token: YOUR-TOKEN-HERE" [header can be omitted if api/registry servers are launched with noauth flavors]

  results in 200 OK.

  I'm just wondering if this is a problem to be considered at deployment
  time (making registry server unavailable from the outside) or a thing
  to consider for the developers as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1452206/+subscriptions