[Glance] Enabled 'show_image_direct_url' by default in glance-api.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Ivan Berezovskiy | ||
5.0.x |
Won't Fix
|
High
|
MOS Maintenance | ||
5.1.x |
Won't Fix
|
High
|
Vitaly Sedelnik | ||
6.0.x |
Won't Fix
|
High
|
Vitaly Sedelnik | ||
6.1.x |
Fix Released
|
High
|
Sergii Rizvan | ||
7.0.x |
Fix Released
|
High
|
Ivan Berezovskiy | ||
8.0.x |
Fix Released
|
High
|
Ivan Berezovskiy |
Bug Description
This commit https:/
This is a potential vulnerability, for example consider the scenario:
We using a swift storage. Create image with new glance client (1.1.0), and receive message:
+------
| Property | Value |
+------
| checksum | 10d838409df43a1
| container_format | bare |
| created_at | 2015-08-
| direct_url | swift+http://
| | f2-444b-
| disk_format | qcow2 |
| id | 049cd701-
| min_disk | 0 |
| min_ram | 0 |
| name | ubuntu14(dont use it) |
| owner | 8ba1c622b05e48d
| protected | False |
| size | 1725956096 |
| status | active |
| tags | [] |
| updated_at | 2015-08-
| visibility | public |
+------
On this step we have a glance user credentials. After this we can escalate any user to admin privileges using glance credentials by keystone client.
UPDATE:
If we use ceph, we can get access to all images without authentication.
+------
| Property | Value |
+------
| checksum | ee1eca47dc88f48
| container_format | bare |
| created_at | 2015-09-
| direct_url | rbd://c7655bce- |
| | 92e2-4f40-
| disk_format | qcow2 |
| id | e825e2e5-
| min_disk | 0 |
| min_ram | 64 |
| name | TestVM |
| owner | dd48ec3a126441c
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2015-09-
| virtual_size | None |
| visibility | public |
+------
Changed in mos: | |
status: | New → Confirmed |
description: | updated |
description: | updated |
no longer affects: | mos/6.0.1-updates |
summary: |
- Enabled 'show_image_direct_url' by default in glance-api.conf + [Glance] Enabled 'show_image_direct_url' by default in glance-api.conf |
information type: | Private Security → Public Security |
tags: | added: on-automation |
tags: | added: on-verification |
tags: | added: covered-automated-test |
Thanks Alexey!
In upstream this parameter was always set to False https:/ /review. openstack. org/#/c/ 11040/ and I don't know why it was required to hardcode it to True.
It affects all Mirantis versions since 5.1 release. Prior python-glanceclient 1.0.0 user had to use v2 api (with option --os-image- api-version 2) to see direct url, but with all latest versions v2 has become the default version.