Glance

Can view private images belonging to another user using member-list

Bug #1114821 reported by Iccha Sethi
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Critical
Mark Washenberger
Glance grizzly-rc1 "RC1"
Grizzly
Fix Released
Critical
Mark Washenberger
Glance 2013.1 "grizzly"

Bug Description

Description of usecase which causes this bug:

1. ADMIN user (image admin-admin-private has member fake-member-id . you can see the image in image list, you can see the members for the image and for the given member-id you can see the image)

iccha@iccha-dev:~/devstack$ source openrc admin admin
iccha@iccha-dev:~/devstack$ glance image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | admin-admin-private | | | | queued |
| 6e056225-9563-4a0f-895c-c2cdfe83f679 | cirros-0.3.0-x86_64-uec | ami | ami | 25165824 | active |
| c7fd417b-c88e-465b-b185-f2d331acbe94 | cirros-0.3.0-x86_64-uec-kernel | aki | aki | 4731440 | active |
| b50d67a8-5b50-45ed-9530-743499952e77 | cirros-0.3.0-x86_64-uec-ramdisk | ari | ari | 2254249 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
iccha@iccha-dev:~/devstack$ glance member-list --tenant fake-member-id

+--------------------------------------+----------------+-----------+
| Image ID | Member ID | Can Share |
+--------------------------------------+----------------+-----------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | fake-member-id | |
+--------------------------------------+----------------+-----------+
iccha@iccha-dev:~/devstack$ glance member-list --image 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde

+--------------------------------------+----------------+-----------+
| Image ID | Member ID | Can Share |
+--------------------------------------+----------------+-----------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | fake-member-id | |
+--------------------------------------+----------------+-----------+

2. DEMO user ( cannot view image admin-admin-private because its a private image created by admin, cannot view the members of admin-admin-private, but when does a member-list on fake-member-id can see image admin-admin-private 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde listed as a shared image, but this image is supposed to be private and not visible to the user!)

iccha@iccha-dev:~/devstack$ source openrc demo demo
iccha@iccha-dev:~/devstack$ glance image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 6e056225-9563-4a0f-895c-c2cdfe83f679 | cirros-0.3.0-x86_64-uec | ami | ami | 25165824 | active |
| c7fd417b-c88e-465b-b185-f2d331acbe94 | cirros-0.3.0-x86_64-uec-kernel | aki | aki | 4731440 | active |
| b50d67a8-5b50-45ed-9530-743499952e77 | cirros-0.3.0-x86_64-uec-ramdisk | ari | ari | 2254249 | active |
| 5bbd2cf8-c0e7-43a4-b6fc-525c2f007336 | test1 | | | | queued |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
iccha@iccha-dev:~/devstack$ glance --debug member-list --image 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde
curl -i -X GET -H 'X-Auth-Token: 524e0f13f4d94baf8b30bdbf9941109f' -H 'Content-Type: application/json' -H 'User-Agent: python-glanceclient' http://184.106.106.164:9292/v1/images/5c2a93c2-d1b1-4756-8c70-b3d9358f2dde/members

HTTP/1.1 404 Not Found
date: Sun, 03 Feb 2013 20:53:40 GMT
content-length: 120
content-type: text/plain; charset=UTF-8
x-openstack-request-id: req-0e5ee315-310c-403c-9b29-b9d4303f82f4

404 Not Found

The resource could not be found.

 Image with identifier 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde not found

Request returned failure status.
404 Not Found
The resource could not be found.
 Image with identifier 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde not found (HTTP 404)

iccha@iccha-dev:~/devstack$ glance --debug member-list --tenant fake-member-id
curl -i -X GET -H 'X-Auth-Token: e713a64770744794b775bf7bea266edd' -H 'Content-Type: application/json' -H 'User-Agent: python-glanceclient' http://184.106.106.164:9292/v1/shared-images/fake-member-id

HTTP/1.1 200 OK
date: Sun, 03 Feb 2013 20:53:48 GMT
content-length: 93
content-type: application/json; charset=UTF-8
x-openstack-request-id: req-2473dcbe-5586-4430-8662-15664914f2e5

{"shared_images": [{"image_id": "5c2a93c2-d1b1-4756-8c70-b3d9358f2dde", "can_share": false}]}

+--------------------------------------+----------------+-----------+
| Image ID | Member ID | Can Share |
+--------------------------------------+----------------+-----------+
| 5c2a93c2-d1b1-4756-8c70-b3d9358f2dde | fake-member-id | |
+--------------------------------------+----------------+-----------+

Iccha Sethi (iccha-sethi)
Changed in glance:
status: New → Triaged
Brian Waldon (bcwaldon)
Changed in glance:
milestone: none → grizzly-rc1
importance: Undecided → Critical
Mark Washenberger (markwash)
Changed in glance:
assignee: nobody → Mark Washenberger (markwash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/23898

Changed in glance:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/23898
Committed: http://github.com/openstack/glance/commit/9385135871ce61da88282fbd7775ca5a170a39af
Submitter: Jenkins
Branch: master

commit 9385135871ce61da88282fbd7775ca5a170a39af
Author: Mark J. Washenberger <email address hidden>
Date: Thu Mar 7 21:03:36 2013 -0800

    Fix visibility on db image_member_find

    Before this change, image_member_find was not paying any attention to
    whether or not the requesting context was authorized to view the image
    memberships. With this change, image membership results are always
    limited to either images owned by the context tenant, or images shared
    with the context tenant.

    Fixes bug 1114821

    Change-Id: I9cabe218429e32c7e2db932ced141e056e10d1c5

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.