yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40787
[Bug 1513230] [NEW] Users have cross-tenant visibility on images
Public bug reported:
Using Kilo 2015.1.2 and Glance Client 0.17.0:
Using two users (demo in the demo tenant, alt_demo in the alt_demo
tenant, neither have the admin role), I am able to create an image with
is_public set to False as the demo user/tenant, and then show data/use
that image to create an instance as the alt_demo:
> env | grep OS_
OS_PASSWORD=secret
OS_AUTH_URL=http://localhost:5000/v2.0
OS_USERNAME=demo
OS_TENANT_NAME=demo
> glance image-create --container-format bare --disk-format raw --is-public false --name demo_image
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-04T21:33:14.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | 51215efe-3533-4128-a36f-a44e507df5d7 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | demo_image |
| owner | None |
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2015-11-04T21:33:14.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
The image then does not appear in image-list:
> glance image-list
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| 7eb66946-70c1-4d35-93d8-93a315710be9 | tempest_alt_image | raw | bare | 947466240 | active |
| 50eccbfd-baf3-4f0e-a10d-c20292b01d9d | tempest_main_image | raw | bare | 947466240 | active |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
With --all-tenants, it appears
> glance image-list --all-tenants
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| 51215efe-3533-4128-a36f-a44e507df5d7 | demo_image | raw | bare | | queued |
| 7eb66946-70c1-4d35-93d8-93a315710be9 | tempest_alt_image | raw | bare | 947466240 | active |
| 50eccbfd-baf3-4f0e-a10d-c20292b01d9d | tempest_main_image | raw | bare | 947466240 | active |
| 8f1430dc-8fc0-467b-b006-acf6b481714e | test_snapshot | raw | bare | | active |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
With image-show and the name, error message:
> glance image-show demo_image
No image with a name or ID of 'demo_image' exists.
With image-show and the uuid, data:
> glance image-show 51215efe-3533-4128-a36f-a44e507df5d7
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| container_format | bare |
| created_at | 2015-11-04T21:33:14.000000 |
| deleted | False |
| disk_format | raw |
| id | 51215efe-3533-4128-a36f-a44e507df5d7 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | demo_image |
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2015-11-04T21:33:14.000000 |
+------------------+--------------------------------------+
Now swap to alt_demo:
env | grep OS_
OS_PASSWORD=secret
OS_AUTH_URL=http://localhost:5000/v2.0
OS_USERNAME=alt_demo
OS_TENANT_NAME=alt_demo
Image list with --all-tenants shows the image even though it shouldn't.
> glance image-list --all-tenants
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| 51215efe-3533-4128-a36f-a44e507df5d7 | demo_image | raw | bare | | queued |
| 7eb66946-70c1-4d35-93d8-93a315710be9 | tempest_alt_image | raw | bare | 947466240 | active |
| 50eccbfd-baf3-4f0e-a10d-c20292b01d9d | tempest_main_image | raw | bare | 947466240 | active |
| 8f1430dc-8fc0-467b-b006-acf6b481714e | test_snapshot | raw | bare | | active |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
Image show with UUID succeeds even though it shouldn't:
> glance image-show 51215efe-3533-4128-a36f-a44e507df5d7
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| container_format | bare |
| created_at | 2015-11-04T21:33:14.000000 |
| deleted | False |
| disk_format | raw |
| id | 51215efe-3533-4128-a36f-a44e507df5d7 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | demo_image |
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2015-11-04T21:33:14.000000 |
+------------------+--------------------------------------+
Image-show with name returns error (correct):
> glance image-show demo_image
No image with a name or ID of 'demo_image' exists.
Attempting to boot an instance as alt_user with the image gives the error that it is not active, not that it wasn't found:
> nova boot --flavor 1 --image demo_image should_not_work
ERROR (BadRequest): Image 51215efe-3533-4128-a36f-a44e507df5d7 is not active. (HTTP 400) (Request-ID: req-44d95795-82ff-45f8-8945-faf430ddb5fc)
vs
> nova boot --flavor 1 --image foo should_not_work
ERROR (CommandError): No image with a name or ID of 'foo' exists.
Tempest tests that run expecting to not be able to access images across
tenants fail since the image can be used / queried.
** Affects: glance
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1513230
Title:
Users have cross-tenant visibility on images
Status in Glance:
New
Bug description:
Using Kilo 2015.1.2 and Glance Client 0.17.0:
Using two users (demo in the demo tenant, alt_demo in the alt_demo
tenant, neither have the admin role), I am able to create an image
with is_public set to False as the demo user/tenant, and then show
data/use that image to create an instance as the alt_demo:
> env | grep OS_
OS_PASSWORD=secret
OS_AUTH_URL=http://localhost:5000/v2.0
OS_USERNAME=demo
OS_TENANT_NAME=demo
> glance image-create --container-format bare --disk-format raw --is-public false --name demo_image
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-11-04T21:33:14.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | 51215efe-3533-4128-a36f-a44e507df5d7 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | demo_image |
| owner | None |
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2015-11-04T21:33:14.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
The image then does not appear in image-list:
> glance image-list
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| 7eb66946-70c1-4d35-93d8-93a315710be9 | tempest_alt_image | raw | bare | 947466240 | active |
| 50eccbfd-baf3-4f0e-a10d-c20292b01d9d | tempest_main_image | raw | bare | 947466240 | active |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
With --all-tenants, it appears
> glance image-list --all-tenants
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| 51215efe-3533-4128-a36f-a44e507df5d7 | demo_image | raw | bare | | queued |
| 7eb66946-70c1-4d35-93d8-93a315710be9 | tempest_alt_image | raw | bare | 947466240 | active |
| 50eccbfd-baf3-4f0e-a10d-c20292b01d9d | tempest_main_image | raw | bare | 947466240 | active |
| 8f1430dc-8fc0-467b-b006-acf6b481714e | test_snapshot | raw | bare | | active |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
With image-show and the name, error message:
> glance image-show demo_image
No image with a name or ID of 'demo_image' exists.
With image-show and the uuid, data:
> glance image-show 51215efe-3533-4128-a36f-a44e507df5d7
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| container_format | bare |
| created_at | 2015-11-04T21:33:14.000000 |
| deleted | False |
| disk_format | raw |
| id | 51215efe-3533-4128-a36f-a44e507df5d7 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | demo_image |
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2015-11-04T21:33:14.000000 |
+------------------+--------------------------------------+
Now swap to alt_demo:
env | grep OS_
OS_PASSWORD=secret
OS_AUTH_URL=http://localhost:5000/v2.0
OS_USERNAME=alt_demo
OS_TENANT_NAME=alt_demo
Image list with --all-tenants shows the image even though it shouldn't.
> glance image-list --all-tenants
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
| 51215efe-3533-4128-a36f-a44e507df5d7 | demo_image | raw | bare | | queued |
| 7eb66946-70c1-4d35-93d8-93a315710be9 | tempest_alt_image | raw | bare | 947466240 | active |
| 50eccbfd-baf3-4f0e-a10d-c20292b01d9d | tempest_main_image | raw | bare | 947466240 | active |
| 8f1430dc-8fc0-467b-b006-acf6b481714e | test_snapshot | raw | bare | | active |
+--------------------------------------+--------------------+-------------+------------------+-----------+--------+
Image show with UUID succeeds even though it shouldn't:
> glance image-show 51215efe-3533-4128-a36f-a44e507df5d7
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| container_format | bare |
| created_at | 2015-11-04T21:33:14.000000 |
| deleted | False |
| disk_format | raw |
| id | 51215efe-3533-4128-a36f-a44e507df5d7 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | demo_image |
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2015-11-04T21:33:14.000000 |
+------------------+--------------------------------------+
Image-show with name returns error (correct):
> glance image-show demo_image
No image with a name or ID of 'demo_image' exists.
Attempting to boot an instance as alt_user with the image gives the error that it is not active, not that it wasn't found:
> nova boot --flavor 1 --image demo_image should_not_work
ERROR (BadRequest): Image 51215efe-3533-4128-a36f-a44e507df5d7 is not active. (HTTP 400) (Request-ID: req-44d95795-82ff-45f8-8945-faf430ddb5fc)
vs
> nova boot --flavor 1 --image foo should_not_work
ERROR (CommandError): No image with a name or ID of 'foo' exists.
Tempest tests that run expecting to not be able to access images
across tenants fail since the image can be used / queried.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1513230/+subscriptions
Follow ups
