yahoo-eng-team team mailing list archive

[Tristan Cacqueray <tdecacqu@xxxxxxxxxx>]

Until a clear consensus about whenever this bug caused an actual
security vulnerability, the OSSA task is now Won't Fix.

** Changed in: ossa
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1522524

Title:
  User can delete deactivated images

Status in Glance:
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  
  Overview:

  
  In glance once an admin has marked a image as deactivated a user can no longer download or delete that image. This is so an image can be inspected by the admins without the user interfering.
  However, these restrictions can be avoided specifically allowing a user to delete a deactivated image. Meaning an admin would not be able to guarantee the status of a deactivated image.

  What should happen: 403 What does happen: 200

  How to reproduce:
  1. Create an image.
  echo test | glance image-create --name 3 --container-format bare --disk-format raw

  2. Deactivate the image.
  glance image-deactivate 0630d5e4-6009-4723-94e6-1ad056ab649a

  3. Check image is deactivated.
  glance image-show 0630d5e4-6009-4723-94e6-1ad056ab649a

  4. Using the v1 API delete the image.
  curl -X DELETE http://localhost:9292/v1/images/0630d5e4-6009-4723-94e6-1ad056ab649a -H 'X-Auth-token: 108322e43f6346ebadb3c2fb72831913'

  5. Image is now gone.
  glance image-show 0630d5e4-6009-4723-94e6-1ad056ab649a

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1522524/+subscriptions