Expose_image_locations set to True by default has security implications.

Bug #1699565 reported by Jorge Niedbalski
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Glance Charm
Fix Released
Medium
Edward Hope-Morley

Bug Description

[Environment]

Charms 17.02
Xenial 16.04

[Description]

The charm exposes the config option 'expose-image-locations', which by default
is set to true.

This was implemented as part of LP: #1531813 and allows ceph copy-on-write
cloning when the RBD backend is in use.

However, there are some security implications that needs to be reviewed, in fact,
the upstream documentation doesn't recommends to enable it by default
because of the security implications [0]

# * Revealing image locations can present a GRAVE SECURITY RISK as
# image locations can sometimes include credentials. Hence, this
# is set to ``False`` by default. Set this to ``True`` with
# EXTREME CAUTION and ONLY IF you know what you are doing!"

# * If an operator wishes to avoid showing any image location(s)
# to the user, then both this option and
# ``show_image_direct_url`` MUST be set to ``False``.

The possible solutions for this issue are:

1) Set it to False by default (which will disable COW by default as well).
2) Keep it enabled by default, but limiting the image location ops
to the admin role, by using the policy [1]

    "delete_image_location": "",
    "get_image_location": "",
    "set_image_location": "",

[0] https://docs.openstack.org/ocata/config-reference/image/glance-api.conf.html
[1] http://git.openstack.org/cgit/openstack/glance/tree/etc/policy.json

Related branches

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/476627

Changed in charm-glance:
status: New → In Progress
assignee: nobody → Jorge Niedbalski (niedbalski)
milestone: none → 17.08
importance: Undecided → Medium
James Page (james-page)
Changed in charm-glance:
milestone: 17.08 → 17.11
James Page (james-page)
Changed in charm-glance:
milestone: 17.11 → 18.02
Revision history for this message
Edward Hope-Morley (hopem) wrote :

picking up this bug since jorge has handed over to me

Changed in charm-glance:
assignee: Jorge Niedbalski (niedbalski) → Edward Hope-Morley (hopem)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-glance (master)

Reviewed: https://review.openstack.org/476627
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=b95ad9c0230ca58281449465ce783374b84e2095
Submitter: Zuul
Branch: master

commit b95ad9c0230ca58281449465ce783374b84e2095
Author: Jorge Niedbalski <email address hidden>
Date: Thu Jun 22 12:52:57 2017 -0400

    Restrict get_image_location policy to role:admin

    This patch will cause /etc/glance/policy.json to
    be updated so that *_image_location rules are
    set to role:admin so that only admins can see
    that info. On first update the original values are
    stored on the local kvstore in case they need to
    be retrieved for later restoring or comparison.

    Closes-Bug: #1699565
    Change-Id: Id6198d534af95013af47c0c1292ac65c79470af4

Changed in charm-glance:
status: In Progress → Fix Committed
Ryan Beisner (1chb1n)
Changed in charm-glance:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.