OpenStack Image Registry and Delivery Service (Glance)

image_download policy not enforced for cached images

Reported by Stuart McLaren on 2013-10-04
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Critical
Stuart McLaren
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

I need to confirm on devstack, but it looks like the image_download policy is ignored when an image is fetched from cache.

summary: - image_download policy not enforced for cached images
+ image_download policy not enforced for cached images in v1

Confirmed in devstack.

To reproduce:

create a policy.json file with:

{
    "context_is_admin": "role:admin",
    "download_image": "role:admin",
    "default": "",
    "manage_image_cache": "role:admin"
}

Verify that a non-admin user cannot download
$ glance image-show 42c834df-3b35-4982-aed6-ffa4a44d3778;glance image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 398759a311bf25c6f1d67e753bb24dae |
| container_format | bare |
| created_at | 2013-10-04T13:10:35 |
| deleted | False |
| disk_format | raw |
| id | 42c834df-3b35-4982-aed6-ffa4a44d3778 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | x1 |
| owner | f6e065403d57444aa973fc10c655dedd |
| protected | False |
| size | 106 |
| status | active |
| updated_at | 2013-10-04T13:10:36 |
+------------------+--------------------------------------+

Request returned failure status.
403 Forbidden

download the image as an admin user

$ glance image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
LABEL=cloudimg-rootfs / ext4 defaults 0 0
/dev/vdb /mnt auto defaults,nobootwait,comment=cloudconfig 0 2

the non-admin user can now also download the image

$ glance image-show 42c834df-3b35-4982-aed6-ffa4a44d3778;glance image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 398759a311bf25c6f1d67e753bb24dae |
| container_format | bare |
| created_at | 2013-10-04T13:10:35 |
| deleted | False |
| disk_format | raw |
| id | 42c834df-3b35-4982-aed6-ffa4a44d3778 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | x1 |
| owner | f6e065403d57444aa973fc10c655dedd |
| protected | False |
| size | 106 |
| status | active |
| updated_at | 2013-10-04T13:10:36 |
+------------------+--------------------------------------+
LABEL=cloudimg-rootfs / ext4 defaults 0 0
/dev/vdb /mnt auto defaults,nobootwait,comment=cloudconfig 0 2

tags: added: havana-rc-potential
Stuart McLaren (stuart-mclaren) wrote :
Stuart McLaren (stuart-mclaren) wrote :
Stuart McLaren (stuart-mclaren) wrote :

I can push this up to gerrit as a standard code change -- just let me know, thanks!

Stuart McLaren (stuart-mclaren) wrote :

Seems to be in v2 aswell

ubuntu@devstack27:/etc/glance$ glance --os-image-api-version 1 image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
Request returned failure status.
403 Forbidden
Access was denied to this resource.
    (HTTP 403)
ubuntu@devstack27:/etc/glance$ glance --os-image-api-version 2 image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
LABEL=cloudimg-rootfs / ext4 defaults 0 0
/dev/vdb /mnt auto defaults,nobootwait,comment=cloudconfig 0 2

summary: - image_download policy not enforced for cached images in v1
+ image_download policy not enforced for cached images
Jeremy Stanley (fungi) wrote :

This likely needs an advisory, assuming it affects grizzly or earlier. Stuart, can you confirm?

Changed in ossa:
status: New → Incomplete
Stuart McLaren (stuart-mclaren) wrote :

Yes I think it affects grizzly.

Stuart McLaren (stuart-mclaren) wrote :

My patch may have been superceeded somewhat by this change:

https://review.openstack.org/#/c/50016/

Thierry Carrez (ttx) wrote :

@Stuart: looks like we should mark this bug a duplicate from bug 1235378 and solve this publicly, now that the cat is out of the bag ? Does the patch proposed there fully address your concerns ?

Hi Thierry,

Yes, Zhi Yan Liu's patch looks very good.

(Prety much the same as what my patch was doing -- but with new functional tests and also the v2 traceback fix.)

Thierry Carrez (ttx) wrote :

OK, unless someone complains i'll open and mark this one as dupe, move the ossa task to the other bug and comment on the security relevance there.

@Stuart: we'll need a grizzly backport (and a folsom one if folsom is also affected). If you are interested, please propose fix directly to stable/grizzly (and stable/folsom if applicable) referencing the other bug.

I can certainly do a grizzly patch.
I'll see if Zhi Yan Liu would like to do a folsom one.

Changed in glance:
status: New → Triaged
importance: Undecided → Critical
milestone: none → icehouse-1
assignee: nobody → Stuart McLaren (stuart-mclaren)
Thierry Carrez (ttx) on 2013-10-09
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers