can_share option grants write permissions on swift container in multi tenant mode.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
In v1, in multi tenant mode, when a user from a tenant (let say T1) share an image with the 'can_share' flag, then the user with who the image is shared is granted write permission on the swift container of tenant T1.
As a consequence all user from the tenant T2 can write to that container and thus consuming User1 swift quotas.
here how to reproduce:
http://
Important lines here are, when we share an image with other user with can_share flag
ubuntu@
The ACL of the swift container become:
Read ACL:
Write ACL: cd563ba051bd434
Note that the users from T2 can write to the container but not read, which make him unable to use the image that have been shared.
information type: | Private Security → Public |
Changed in glance: | |
assignee: | nobody → Nassim Babaci (nassim-babaci) |
Changed in glance: | |
status: | New → In Progress |
Changed in glance: | |
status: | In Progress → Incomplete |
assignee: | Nassim Babaci (nassim-babaci) → nobody |
tags: | added: propose-close |
Is this still valid?