← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1799588] [NEW] non-admin users can see all tenants' images even when image is private

 

Public bug reported:

[root@vm013 glance]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@vm013 glance]# rpm -qa |grep glance |sort
openstack-glance-16.0.1-1.el7.noarch
openstack-glance-doc-16.0.1-1.el7.noarch
python2-glanceclient-2.10.0-1.el7.noarch
python2-glance-store-0.23.0-1.el7.noarch
python-glance-16.0.1-1.el7.noarch
python-glanceclient-doc-2.10.0-1.el7.noarch
[root@vm013 glance]# md5sum /etc/glance/policy.json
a4f29d0f75bbc04f1d83a1abdf0fda6f  /etc/glance/policy.json

I am running only Glance v2 API.

In this demo, as an un-privileged user, I will list all glance images,
from all tenants, and they are all marked 'private'.

(as admin):
[root@vm013 ~]# openstack role assignment list --effective --names |grep jonathan
| user    | jonathan@Default    |       | ozoneaq@ndc        |         | False     |

(as jonathan):
[root@vm013 ~]# . keystonerc_jonathan
[root@vm013 ~]# printenv |grep OS_ |sort
OS_AUTH_URL=https://keystone.gpcprod:5000/v3
OS_CACERT=/etc/openldap/cacerts/gpcprod_root_ca.pem
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=XXXXXXXXXXXXXXXXXX
OS_PROJECT_DOMAIN_NAME=NDC
OS_PROJECT_NAME=ozoneaq
OS_USER_DOMAIN_NAME=Default
OS_USERNAME=jonathan
OS_VOLUME_API_VERSION=3

[root@vm013 ~]# openstack image list
+--------------------------------------+-----------------------------------+--------+
| ID                                   | Name                              | Status |
+--------------------------------------+-----------------------------------+--------+
| 0099a343-1376-49f4-85f9-795624fb2ce8 | CentOS-7-x86_64-GenericCloud-1808 | active |
| 53d7c007-318b-4dad-b7cb-38b1dd31f884 | Ubuntu1604-180919                 | active |
| 482f52ca-e56c-4555-a0e3-93eb491db389 | Ubuntu1604-20181016               | active |
| 212aaf3c-18f6-4327-8a11-c726c2e21780 | Ubuntu1804-20181016               | active |
| 051d2fff-6b90-4321-9c64-c613f0ddf3da | Windows2016Std-20181003r4         | active |
| ac6baa7c-fd2f-48e2-84e0-37a86f623e38 | Windows2016std-20181003r2         | active |
| 2264c6b9-40e7-492d-a5bc-dd11a7b4ee10 | Windows2016std-20181004           | active |
| 6d865748-ae7a-4c43-9d01-bc35c9002fd9 | Windows2016std-20181004r2         | active |
| 26ba1766-aa67-4b1b-81cd-90dda8d41384 | WindowsServer2016-20180926        | active |
| 3fc3c155-c7a2-4556-a5d0-de7eff208d7d | WindowsStd2016-20181010           | active |
| b6d161ca-e03b-46c5-95a0-5fe31723c5c7 | centos7-201810100                 | active |
| 8bdc33be-1eb5-429b-b0ca-682b24df45f0 | centos7-gi-build-test1            | active |
| 34a915b8-cca6-45c3-9348-5e15dace444f | cirros                            | active |
| 84102d5c-1641-47bb-b727-a59e707e871c | keyshotslave-1604-snap2           | active |
| cedf9ae7-6adc-44d4-b7cb-d5664ea3fef0 | keyshotslave1604-snap1            | active |
| be4dbd67-d56f-41dd-8378-8aa6ca064f55 | mm-cirros-test                    | active |
| be67cf99-b545-4a91-a3d8-fe9f26a8854d | mm-cirros-test2                   | active |
| a8dfd028-5911-4178-a77d-bb3da8996372 | mm-test-image4                    | active |
| b6d9d44d-2e3c-48a9-9bf5-b6fca20979f9 | testt2-snap                       | active |
| 1c401eea-0e6e-475b-9a46-ffbfb388ca35 | ubuntu1804-180919                 | active |
+--------------------------------------+-----------------------------------+--------+
[root@vm013 ~]# openstack image show cirros
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field            | Value                                                                                                                                                                                                                                                                                                                               |
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| checksum         | 443b7623e27ecf03dc9e01ee93f67afe                                                                                                                                                                                                                                                                                                    |
| container_format | bare                                                                                                                                                                                                                                                                                                                                |
| created_at       | 2018-09-17T13:43:13Z                                                                                                                                                                                                                                                                                                                |
| disk_format      | raw                                                                                                                                                                                                                                                                                                                                 |
| file             | /v2/images/34a915b8-cca6-45c3-9348-5e15dace444f/file                                                                                                                                                                                                                                                                                |
| id               | 34a915b8-cca6-45c3-9348-5e15dace444f                                                                                                                                                                                                                                                                                                |
| min_disk         | 0                                                                                                                                                                                                                                                                                                                                   |
| min_ram          | 0                                                                                                                                                                                                                                                                                                                                   |
| name             | cirros                                                                                                                                                                                                                                                                                                                              |
| owner            | 6e6d8ff081014c679f18ad4b818ffd4c                                                                                                                                                                                                                                                                                                    |
| properties       | direct_url='file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', locations='[{u'url': u'file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', u'metadata': {u'mountpoint': u'/var/lib/glance/images', u'type': u'nfs', u'id': u'gpc-b32-na-01', u'share_location': u'nfs://gpc-b32-na-01/glance'}}]' |
| protected        | False                                                                                                                                                                                                                                                                                                                               |
| schema           | /v2/schemas/image                                                                                                                                                                                                                                                                                                                   |
| size             | 12716032                                                                                                                                                                                                                                                                                                                            |
| status           | active                                                                                                                                                                                                                                                                                                                              |
| tags             |                                                                                                                                                                                                                                                                                                                                     |
| updated_at       | 2018-09-17T13:49:18Z                                                                                                                                                                                                                                                                                                                |
| virtual_size     | None                                                                                                                                                                                                                                                                                                                                |
| visibility       | private                                                                                                                                                                                                                                                                                                                             |
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


So you can see that my un-privileged user jonathan (role:user) just displayed the private image 'cirros' from tenant 6e6d8ff081014c679f18ad4b818ffd4c.  User 'jonathan' is not a member of that tenant.


(as admin):
[root@vm013 ~]# openstack project list |grep 6e6d8ff081014c679f18ad4b818ffd4c
| 6e6d8ff081014c679f18ad4b818ffd4c | gpcadm         |


Perhaps even stranger, as my admin user (role:admin, in admin tenant), I cannot set the visibility of an image to 'public':

[root@vm013 ~]# openstack image set --public cirros
403 Forbidden: You are not authorized to complete publicize_image action. (HTTP 403)

My /etc/glance/policy.json is identical to the reference one, here:
https://raw.githubusercontent.com/openstack/glance/master/etc/policy.json

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1799588

Title:
  non-admin users can see all tenants' images even when image is private

Status in Glance:
  New

Bug description:
  [root@vm013 glance]# cat /etc/redhat-release
  CentOS Linux release 7.5.1804 (Core)
  [root@vm013 glance]# rpm -qa |grep glance |sort
  openstack-glance-16.0.1-1.el7.noarch
  openstack-glance-doc-16.0.1-1.el7.noarch
  python2-glanceclient-2.10.0-1.el7.noarch
  python2-glance-store-0.23.0-1.el7.noarch
  python-glance-16.0.1-1.el7.noarch
  python-glanceclient-doc-2.10.0-1.el7.noarch
  [root@vm013 glance]# md5sum /etc/glance/policy.json
  a4f29d0f75bbc04f1d83a1abdf0fda6f  /etc/glance/policy.json

  I am running only Glance v2 API.

  In this demo, as an un-privileged user, I will list all glance images,
  from all tenants, and they are all marked 'private'.

  (as admin):
  [root@vm013 ~]# openstack role assignment list --effective --names |grep jonathan
  | user    | jonathan@Default    |       | ozoneaq@ndc        |         | False     |

  (as jonathan):
  [root@vm013 ~]# . keystonerc_jonathan
  [root@vm013 ~]# printenv |grep OS_ |sort
  OS_AUTH_URL=https://keystone.gpcprod:5000/v3
  OS_CACERT=/etc/openldap/cacerts/gpcprod_root_ca.pem
  OS_IDENTITY_API_VERSION=3
  OS_PASSWORD=XXXXXXXXXXXXXXXXXX
  OS_PROJECT_DOMAIN_NAME=NDC
  OS_PROJECT_NAME=ozoneaq
  OS_USER_DOMAIN_NAME=Default
  OS_USERNAME=jonathan
  OS_VOLUME_API_VERSION=3

  [root@vm013 ~]# openstack image list
  +--------------------------------------+-----------------------------------+--------+
  | ID                                   | Name                              | Status |
  +--------------------------------------+-----------------------------------+--------+
  | 0099a343-1376-49f4-85f9-795624fb2ce8 | CentOS-7-x86_64-GenericCloud-1808 | active |
  | 53d7c007-318b-4dad-b7cb-38b1dd31f884 | Ubuntu1604-180919                 | active |
  | 482f52ca-e56c-4555-a0e3-93eb491db389 | Ubuntu1604-20181016               | active |
  | 212aaf3c-18f6-4327-8a11-c726c2e21780 | Ubuntu1804-20181016               | active |
  | 051d2fff-6b90-4321-9c64-c613f0ddf3da | Windows2016Std-20181003r4         | active |
  | ac6baa7c-fd2f-48e2-84e0-37a86f623e38 | Windows2016std-20181003r2         | active |
  | 2264c6b9-40e7-492d-a5bc-dd11a7b4ee10 | Windows2016std-20181004           | active |
  | 6d865748-ae7a-4c43-9d01-bc35c9002fd9 | Windows2016std-20181004r2         | active |
  | 26ba1766-aa67-4b1b-81cd-90dda8d41384 | WindowsServer2016-20180926        | active |
  | 3fc3c155-c7a2-4556-a5d0-de7eff208d7d | WindowsStd2016-20181010           | active |
  | b6d161ca-e03b-46c5-95a0-5fe31723c5c7 | centos7-201810100                 | active |
  | 8bdc33be-1eb5-429b-b0ca-682b24df45f0 | centos7-gi-build-test1            | active |
  | 34a915b8-cca6-45c3-9348-5e15dace444f | cirros                            | active |
  | 84102d5c-1641-47bb-b727-a59e707e871c | keyshotslave-1604-snap2           | active |
  | cedf9ae7-6adc-44d4-b7cb-d5664ea3fef0 | keyshotslave1604-snap1            | active |
  | be4dbd67-d56f-41dd-8378-8aa6ca064f55 | mm-cirros-test                    | active |
  | be67cf99-b545-4a91-a3d8-fe9f26a8854d | mm-cirros-test2                   | active |
  | a8dfd028-5911-4178-a77d-bb3da8996372 | mm-test-image4                    | active |
  | b6d9d44d-2e3c-48a9-9bf5-b6fca20979f9 | testt2-snap                       | active |
  | 1c401eea-0e6e-475b-9a46-ffbfb388ca35 | ubuntu1804-180919                 | active |
  +--------------------------------------+-----------------------------------+--------+
  [root@vm013 ~]# openstack image show cirros
  +------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | Field            | Value                                                                                                                                                                                                                                                                                                                               |
  +------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | checksum         | 443b7623e27ecf03dc9e01ee93f67afe                                                                                                                                                                                                                                                                                                    |
  | container_format | bare                                                                                                                                                                                                                                                                                                                                |
  | created_at       | 2018-09-17T13:43:13Z                                                                                                                                                                                                                                                                                                                |
  | disk_format      | raw                                                                                                                                                                                                                                                                                                                                 |
  | file             | /v2/images/34a915b8-cca6-45c3-9348-5e15dace444f/file                                                                                                                                                                                                                                                                                |
  | id               | 34a915b8-cca6-45c3-9348-5e15dace444f                                                                                                                                                                                                                                                                                                |
  | min_disk         | 0                                                                                                                                                                                                                                                                                                                                   |
  | min_ram          | 0                                                                                                                                                                                                                                                                                                                                   |
  | name             | cirros                                                                                                                                                                                                                                                                                                                              |
  | owner            | 6e6d8ff081014c679f18ad4b818ffd4c                                                                                                                                                                                                                                                                                                    |
  | properties       | direct_url='file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', locations='[{u'url': u'file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', u'metadata': {u'mountpoint': u'/var/lib/glance/images', u'type': u'nfs', u'id': u'gpc-b32-na-01', u'share_location': u'nfs://gpc-b32-na-01/glance'}}]' |
  | protected        | False                                                                                                                                                                                                                                                                                                                               |
  | schema           | /v2/schemas/image                                                                                                                                                                                                                                                                                                                   |
  | size             | 12716032                                                                                                                                                                                                                                                                                                                            |
  | status           | active                                                                                                                                                                                                                                                                                                                              |
  | tags             |                                                                                                                                                                                                                                                                                                                                     |
  | updated_at       | 2018-09-17T13:49:18Z                                                                                                                                                                                                                                                                                                                |
  | virtual_size     | None                                                                                                                                                                                                                                                                                                                                |
  | visibility       | private                                                                                                                                                                                                                                                                                                                             |
  +------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

  
  So you can see that my un-privileged user jonathan (role:user) just displayed the private image 'cirros' from tenant 6e6d8ff081014c679f18ad4b818ffd4c.  User 'jonathan' is not a member of that tenant.

  
  (as admin):
  [root@vm013 ~]# openstack project list |grep 6e6d8ff081014c679f18ad4b818ffd4c
  | 6e6d8ff081014c679f18ad4b818ffd4c | gpcadm         |

  
  Perhaps even stranger, as my admin user (role:admin, in admin tenant), I cannot set the visibility of an image to 'public':

  [root@vm013 ~]# openstack image set --public cirros
  403 Forbidden: You are not authorized to complete publicize_image action. (HTTP 403)

  My /etc/glance/policy.json is identical to the reference one, here:
  https://raw.githubusercontent.com/openstack/glance/master/etc/policy.json

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1799588/+subscriptions


Follow ups