yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1270569] Re: can_share option grants write permissions on swift container in multi tenant mode.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Cyril Roelandt <1270569@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Mar 2025 16:01:22 -0000
Reply-to: Bug 1270569 <1270569@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

v1 has been deprecated forever, we won't be fixing this.

** Changed in: glance
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1270569

Title:
  can_share option grants write permissions on swift container in multi
  tenant mode.

Status in Glance:
  Won't Fix

Bug description:
  In v1, in multi tenant mode, when a user from a tenant (let say T1)
  share an image with the 'can_share' flag, then the user with who the
  image is shared is granted write permission on the swift container of
  tenant T1.

  As a consequence all user from the tenant T2 can write to that
  container and thus consuming User1 swift quotas.

  here how to reproduce:
    http://paste.openstack.org/show/61511/

  Important lines here are, when we share an image with other user with can_share flag
    ubuntu@devstack-nb:~/devstack$ glance member-create --can-share image-demo cd563ba051bd4341b1015566e260f09e

  The ACL of the swift container become:
     Read ACL:
     Write ACL: cd563ba051bd4341b1015566e260f09e:*

  Note that the users from T2 can write to the container but not read,
  which make him unable to use the image that have been shared.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1270569/+subscriptions