yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95576
[Bug 1270569] Re: can_share option grants write permissions on swift container in multi tenant mode.
v1 has been deprecated forever, we won't be fixing this.
** Changed in: glance
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1270569
Title:
can_share option grants write permissions on swift container in multi
tenant mode.
Status in Glance:
Won't Fix
Bug description:
In v1, in multi tenant mode, when a user from a tenant (let say T1)
share an image with the 'can_share' flag, then the user with who the
image is shared is granted write permission on the swift container of
tenant T1.
As a consequence all user from the tenant T2 can write to that
container and thus consuming User1 swift quotas.
here how to reproduce:
http://paste.openstack.org/show/61511/
Important lines here are, when we share an image with other user with can_share flag
ubuntu@devstack-nb:~/devstack$ glance member-create --can-share image-demo cd563ba051bd4341b1015566e260f09e
The ACL of the swift container become:
Read ACL:
Write ACL: cd563ba051bd4341b1015566e260f09e:*
Note that the users from T2 can write to the container but not read,
which make him unable to use the image that have been shared.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1270569/+subscriptions