Comment 10 for bug 1354512

This is a real problem in my opinion.

One possible cause of confusion is that 'public' means something slightly different in glance than in swift.

In Swift a public object is accessible to truly anybody (as long as you can connect to the network the swift endpoint is on). You do not need to supply any credentials whatsoever to access the object.
A simple 'curl http://swift/path' is enough.

In Glance a public image is accessible to other users only (after a successful authentication with valid credentials); it is not accessible by anonymous downloaders.

This bug allows for the following scenario (in multi-tenant mode only):

1) public image (123) is made available by the cloud admin

2) a user creates her own snapshot (456)

3) by looking at the path to her own image (456), and the owner id of (123), the swift URL for the public image can be inferred

4) the image URL for 123 can be made known

5) anybody can access the image anonymously, without any credentials.

So, the admin's intention is for the image to be available to a potentially small set of users with valid accounts, with accesses potentially billed or rate limited in some way, but it is actually not restricted to that set of users.

This is not possible, for example, using the single tenant swift backend or the filesystem backend.

I'm not sure a simple fix is possible however, this is just how the multi-tenant behaviour works.

In future, this update to the keystone middleware https://review.openstack.org/#/c/108384/
can be used to only allow accesses to these images via the glance api rather than directly to swift.