yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32866
[Bug 1454292] Re: User can gain full access to another user's image by image_id
Sorry, my environment was not in the original devstack configuration - I
had glance-api/glance-registry launch with noauth flavors and that
seemed to cause the described behaviour, as all requests were executed
with 'is_admin=True' in context even for demo user.
I propose to close the issue.
** Changed in: glance
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1454292
Title:
User can gain full access to another user's image by image_id
Status in OpenStack Image Registry and Delivery Service (Glance):
Invalid
Bug description:
If the image is created by a user for another tenant (with --owner
option), the image won't be seen by the first user in glance image-
list output, but will be accessible by image_id.
Steps ro reproduce (I used kilo devstack):
1. Create the image as demo user with --owner admin
glance image-create --name created_by_demo --container-format bare
--disk-format raw --file MANIFEST.in --owner admin
Remember the id of the created image
(8d72dbb2-70f9-4618-aee2-187d5c3f296a in my case)
2. Make sure any list/update/delete operation performed by demo user
on admin image succeeds.
(Image Update)
glance image-update 8d72dbb2-70f9-4618-aee2-187d5c3f296a --name updated-by-non-admin2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | active |
| updated_at | 2015-05-12T14:40:33.162878 |
| virtual_size | None |
+------------------+--------------------------------------+
(Image List)
glance image-show 8d72dbb2-70f9-4618-aee2-187d5c3f296a
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | False |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | active |
| updated_at | 2015-05-12T14:40:33.162878 |
+------------------+--------------------------------------+
(Image Delete)
glance image-delete 8d72dbb2-70f9-4618-aee2-187d5c3f296a
glance image-show 8d72dbb2-70f9-4618-aee2-187d5c3f296a
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | c00d6a5ed8b04bb14b4760baf2804f24 |
| container_format | bare |
| created_at | 2015-05-12T14:33:38.481116 |
| deleted | True |
| deleted_at | 2015-05-12T14:43:52.995393 |
| disk_format | raw |
| id | 8d72dbb2-70f9-4618-aee2-187d5c3f296a |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | updated-by-non-admin2 |
| owner | admin |
| protected | False |
| size | 529 |
| status | deleted |
| updated_at | 2015-05-12T14:43:52.996843 |
+------------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1454292/+subscriptions
References
