Glance registry should not be exposed to users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Won't Fix
|
Undecided
|
Unassigned | ||
openstack-manuals |
Fix Released
|
Medium
|
Shaun McCance |
Bug Description
Using glance-registry v1 API from stable/havana
The glance registry will expose the location of the image. If using the swift backend this will expose your swift credentials.
My initial discovery of this was when using a stable/grizzly glance-api. Doing either a glance image-create or glance image-show exposes the location_data information of the image.
It would seem that the data is being protected at the glance-api level and not the registry level. Havana glance-api protects the data Grizzly glance-api does not.
I have confirmed this by using a standard users token (with Member role) with curl to do a request against the registry (stable/havana)
curl -H "X-Auth-
% Total % Received % Xferd Average Speed Time Time Time Current
100 761 100 761 0 0 4542 0 --:--:-- --:--:-- --:--:-- 4584
{
"image": {
"checksum": "ad53c72c06a084
"deleted": false,
"id": "f5bf9283-
"location": "swift+http://
{
}
],
"min_disk": 0,
"min_ram": 0,
"name": "raring",
"owner": "XXXXXX",
"size": 236322816,
"status": "active",
}
}
Changed in openstack-manuals: | |
importance: | Undecided → Medium |
tags: | added: sec-guide |
Changed in openstack-manuals: | |
assignee: | Vaidyanath (vaidyanath-m) → punal patel (punal-patel) |
assignee: | punal patel (punal-patel) → nobody |
Changed in openstack-manuals: | |
status: | In Progress → Triaged |
milestone: | none → icehouse |
Changed in openstack-manuals: | |
assignee: | nobody → Tom Fifield (fifieldt) |
Changed in openstack-manuals: | |
assignee: | Tom Fifield (fifieldt) → Shaun McCance (shaunm-gnome) |
Changed in glance: | |
assignee: | nobody → Ricardo (openstack-x) |
assignee: | Ricardo (openstack-x) → nobody |
@Mark: can you confirm ? Looks a bit like bug 1098962 and bug 1135541