yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1479385] Re: Cause conflicts within glance public metadefs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Tue, 08 Sep 2015 14:09:30 -0000
Reply-to: Bug 1479385 <1479385@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Until this can be safely backported, the OSSA task is switched to Won't
fix.

** Changed in: ossa
       Status: Triaged => Won't Fix

** Information type changed from Public Security to Public

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1479385

Title:
  Cause conflicts within glance public metadefs

Status in Glance:
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Overview:

  Through creation of a new public namespace by any user of the system,
  you can create a clash of namespaces, that breaks all accessibility to
  that namespace. This therefore can be used to cause a denial of
  service attack or you have to disable the service completely.

  How to produce:

  As a regular user run the command:
  curl -v -X POST http://16.49.138.140:9292/v2/metadefs/namespaces -H "Content-Type: application/json" -H "X-Auth-Token: 1a499605071a46a8b9b2a938fac5fac7" -d '{"namespace": "OS::Computer::WebServers", "visibility": "public"}'

  This will create a new namespace with the same name as the existing namespace. This has now rendered the original namespace inaccessible. If a GET request is done to the namespaces name by any other user via (or viewing in horizon):
  curl -v -X GET http://16.49.138.140:9292/v2/metadefs/namespaces/OS::Computer::WebServers -H "Content-Type: application/json" -H "X-Auth-Token: 1a499605071a46a8b9b2a938fac5fac7"

  It will cause the following output in the api console:
  2015-07-28 23:41:42.175 ERROR glance.api.v2.metadef_properties [req-e3a80995-6f37-4e5c-b7dd-a1ce978478c7 f76c222365fb490792300f9e49ec9bd0 9db14ac3320b4396b58222f99dd04e4e] Multiple rows were found for one()

  Returning a 500 to the user and therefore the namespace inaccessible
  meaning a successful denial of service to most of the metadefs api as
  most require it.

  Attempted preventative measures:
  In the policy.json files there are only the following values:
  "get_metadef_namespace": "",
   "get_metadef_namespaces":"",
   "modify_metadef_namespace":"",
  "add_metadef_namespace":"",
  meaning that creating namespaces has to be disabled completely(not default ) as there in no publicize option.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1479385/+subscriptions