yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1452206] Re: User can send requests directly to glance registry server

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Inessa Vasilevskaya <ivasilevskaya@xxxxxxxxxxxx>
Date: Mon, 18 May 2015 13:30:11 -0000
Reply-to: Bug 1452206 <1452206@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi, Stuart!

I just wanted to make sure that that's a surprise just for me :)
Documenting it would be useful for paranoics like me, I'll ask Mike
Fedosin if he has a place for it in his glance-docs.

I propose to close the issue then.

** Changed in: glance
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1452206

Title:
  User can send requests directly to glance registry server

Status in OpenStack Image Registry and Delivery Service (Glance):
  Invalid

Bug description:
  I was playing with the devstack environment and noticed an interesting
  "feature":

  The user can send requests directly to the registry server. All he
  needs to know is the address/port glance-registry is launched at.

  The following request
  curl -v localhost:9191/images --header "X-Auth-Token: YOUR-TOKEN-HERE" [header can be omitted if api/registry servers are launched with noauth flavors]

  results in 200 OK.

  I'm just wondering if this is a problem to be considered at deployment
  time (making registry server unavailable from the outside) or a thing
  to consider for the developers as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1452206/+subscriptions

References

[Bug 1452206] [NEW] User can send requests directly to glance registry server
From: Inessa Vasilevskaya, 2015-05-06