can_share option grants write permissions on swift container in multi tenant mode.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Glance |
Incomplete
|
Undecided
|
Unassigned | ||
Bug Description
In v1, in multi tenant mode, when a user from a tenant (let say T1) share an image with the 'can_share' flag, then the user with who the image is shared is granted write permission on the swift container of tenant T1.
As a consequence all user from the tenant T2 can write to that container and thus consuming User1 swift quotas.
here how to reproduce:
http://
Important lines here are, when we share an image with other user with can_share flag
ubuntu@
The ACL of the swift container become:
Read ACL:
Write ACL: cd563ba051bd434
Note that the users from T2 can write to the container but not read, which make him unable to use the image that have been shared.
| information type: | Private Security → Public |
| Changed in glance: | |
| assignee: | nobody → Nassim Babaci (nassim-babaci) |
| Changed in glance: | |
| status: | New → In Progress |
| Nikhil Komawar (nikhil-komawar) wrote | #1 |
| Changed in glance: | |
| status: | In Progress → Incomplete |
| assignee: | Nassim Babaci (nassim-babaci) → nobody |
| tags: | added: propose-close |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on glance (master) | #2 |
Is this still valid?