yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32829
[Bug 1454292] [NEW] Another user can gain full access to another user's image by image_id
Public bug reported:
If the image is created by a user for another tenant (with --owner
option), the image won't be seen by the first user in glance image-list
output, but will be accessible by image_id.
Steps ro reproduce (I used kilo devstack):
1. Create the image as demo user with --owner admin
glance image-create --name created_by_demo --container-format bare
--disk-format raw --file MANIFEST.in --owner admin
Remember the id of the created image
(8d72dbb2-70f9-4618-aee2-187d5c3f296a in my case)
2. Make sure any list/update/delete operation performed by demo user on
admin image succeeds.
(Image Update)
glance image-update 8d72dbb2-70f9-4618-aee2-187d5c3f296a --name updated-by-non-admin2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | active |
| updated_at | 2015-05-12T14:40:33.162878 |
| virtual_size | None |
+------------------+--------------------------------------+
(Image List)
glance image-show 8d72dbb2-70f9-4618-aee2-187d5c3f296a
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | False |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | active |
| updated_at | 2015-05-12T14:40:33.162878 |
+------------------+--------------------------------------+
(Image Delete)
glance image-delete 8d72dbb2-70f9-4618-aee2-187d5c3f296a
glance image-show 8d72dbb2-70f9-4618-aee2-187d5c3f296a
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | True |
| deleted_at | 2015-05-12T14:43:52.995393 |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | deleted |
| updated_at | 2015-05-12T14:43:52.996843 |
+------------------+--------------------------------------+
** Affects: glance
Importance: Undecided
Assignee: Inessa Vasilevskaya (ivasilevskaya)
Status: New
** Changed in: glance
Assignee: (unassigned) => Inessa Vasilevskaya (ivasilevskaya)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1454292
Title:
Another user can gain full access to another user's image by image_id
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Bug description:
If the image is created by a user for another tenant (with --owner
option), the image won't be seen by the first user in glance image-
list output, but will be accessible by image_id.
Steps ro reproduce (I used kilo devstack):
1. Create the image as demo user with --owner admin
glance image-create --name created_by_demo --container-format bare
--disk-format raw --file MANIFEST.in --owner admin
Remember the id of the created image
(8d72dbb2-70f9-4618-aee2-187d5c3f296a in my case)
2. Make sure any list/update/delete operation performed by demo user
on admin image succeeds.
(Image Update)
glance image-update 8d72dbb2-70f9-4618-aee2-187d5c3f296a --name updated-by-non-admin2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | active |
| updated_at | 2015-05-12T14:40:33.162878 |
| virtual_size | None |
+------------------+--------------------------------------+
(Image List)
glance image-show 8d72dbb2-70f9-4618-aee2-187d5c3f296a
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | False |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | active |
| updated_at | 2015-05-12T14:40:33.162878 |
+------------------+--------------------------------------+
(Image Delete)
glance image-delete 8d72dbb2-70f9-4618-aee2-187d5c3f296a
glance image-show 8d72dbb2-70f9-4618-aee2-187d5c3f296a
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | True |
| deleted_at | 2015-05-12T14:43:52.995393 |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | deleted |
| updated_at | 2015-05-12T14:43:52.996843 |
+------------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1454292/+subscriptions
Follow ups
References
