image_download policy not enforced for cached images
Bug #1235226 reported by
Stuart McLaren
This bug report is a duplicate of:
Bug #1235378: [OSSA 2013-027] 'image_download' role in v2 causes traceback.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Triaged
|
Critical
|
Stuart McLaren | ||
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
I need to confirm on devstack, but it looks like the image_download policy is ignored when an image is fetched from cache.
summary: |
- image_download policy not enforced for cached images + image_download policy not enforced for cached images in v1 |
tags: | added: havana-rc-potential |
Changed in glance: | |
status: | New → Triaged |
importance: | Undecided → Critical |
milestone: | none → icehouse-1 |
assignee: | nobody → Stuart McLaren (stuart-mclaren) |
information type: | Private Security → Public Security |
To post a comment you must log in.
Confirmed in devstack.
To reproduce:
create a policy.json file with:
{ is_admin" : "role:admin", image": "role:admin", image_cache" : "role:admin"
"context_
"download_
"default": "",
"manage_
}
Verify that a non-admin user cannot download 3b35-4982- aed6-ffa4a44d37 78;glance image-download 42c834df- 3b35-4982- aed6-ffa4a44d37 78 ------- -----+- ------- ------- ------- ------- ------- --+ ------- -----+- ------- ------- ------- ------- ------- --+ 6f1d67e753bb24d ae | 3b35-4982- aed6-ffa4a44d37 78 | aa973fc10c655de dd | ------- -----+- ------- ------- ------- ------- ------- --+
$ glance image-show 42c834df-
+------
| Property | Value |
+------
| checksum | 398759a311bf25c
| container_format | bare |
| created_at | 2013-10-04T13:10:35 |
| deleted | False |
| disk_format | raw |
| id | 42c834df-
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | x1 |
| owner | f6e065403d57444
| protected | False |
| size | 106 |
| status | active |
| updated_at | 2013-10-04T13:10:36 |
+------
Request returned failure status.
403 Forbidden
download the image as an admin user
$ glance image-download 42c834df- 3b35-4982- aed6-ffa4a44d37 78 rootfs / ext4 defaults 0 0 nobootwait, comment= cloudconfig 0 2
LABEL=cloudimg-
/dev/vdb /mnt auto defaults,
the non-admin user can now also download the image
$ glance image-show 42c834df- 3b35-4982- aed6-ffa4a44d37 78;glance image-download 42c834df- 3b35-4982- aed6-ffa4a44d37 78 ------- -----+- ------- ------- ------- ------- ------- --+ ------- -----+- ------- ------- ------- ------- ------- --+ 6f1d67e753bb24d ae | 3b35-4982- aed6-ffa4a44d37 78 | aa973fc10c655de dd | ------- -----+- ------- ------- ------- ------- ------- --+ rootfs / ext4 defaults 0 0 nobootwait, comment= cloudconfig 0 2
+------
| Property | Value |
+------
| checksum | 398759a311bf25c
| container_format | bare |
| created_at | 2013-10-04T13:10:35 |
| deleted | False |
| disk_format | raw |
| id | 42c834df-
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | x1 |
| owner | f6e065403d57444
| protected | False |
| size | 106 |
| status | active |
| updated_at | 2013-10-04T13:10:36 |
+------
LABEL=cloudimg-
/dev/vdb /mnt auto defaults,