Users (without admin privileges) can change ACTIVE_IMMUTABLE properties of their own images when deactivated.
Bug #1517060 reported by
Alexey Galkin
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Niall Bunting | ||
Kilo |
Fix Released
|
High
|
Niall Bunting | ||
Liberty |
Fix Committed
|
High
|
Niall Bunting |
Bug Description
Steps to reproduce:
1. Create a new image with 'active' status.
2. Deactivate this image from admin. (image should have a 'deactivated' status)
3. Use this curl request:
curl -X PUT http://
4. Verify that created image have a '1234567' size.
Changed in glance: | |
status: | New → Confirmed |
Changed in glance: | |
status: | Invalid → Confirmed |
tags: | added: liberty-backport-potential |
tags: | removed: liberty-backport-potential |
summary: |
- User (without admin privileges) can change size your own image with - 'deactivated' status. + User (without admin privileges) can change ACTIVE_IMMUTABLE properties + of image when deactivated. |
summary: |
- User (without admin privileges) can change ACTIVE_IMMUTABLE properties - of image when deactivated. + Users (without admin privileges) can change ACTIVE_IMMUTABLE properties + of their own images when deactivated. |
Changed in glance: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I think it has no relate to 'deactivated' status.
Either 'active' or 'deactivated', users can both change the image's size through v1 API.
So maybe the problem is that size can be updated via v1 api.
We should reach an agreement that whether we should support it.
In v1, I see that image can be created with size input(only location and copy_from), but size can be changed with every image.