Comment 0 for bug 1354512

Feodor Tersin (ftersin) wrote :

When Glance uses Swift as backend, and Swift uses delay_auth_decision feature (for temporary urls, for example), anyone can download public images anonymously from Swift by direct url.

Steps to reproduce:
1 Set
    delay_auth_decision = 1
in Swift's proxy-server.conf.
Set
    default_store = swift
    swift_store_multi_tenant = True
    swift_store_create_container_on_put = True
in Glance's glance-api.conf.

2 Create a public image.
    glance image-create --name fake_image --file <some_text_file_name>
You may use a text file to reproduce the error for descriptive reasons.
Use the got image id at the next step.

3 Download created image by curl.
    curl <swift_endpoint>/glance_<image_id>/<image_id>
See your file in the output.
If swift_store_container in your glance-api.conf is not 'glance', use appropriate prefix in the command above.

Glance set read ACL to '.r:*,.rlistings' for all public images. Thus since anyone has access into Swift (by delay_auth_decision parameter), anyone can download a public image.