Comment 11 for bug 1308413
Revision history for this message
| Stuart McLaren (stuart-mclaren) wrote Re: TENANT2 can list the image belonging to TENANT1 while using v2 api with registry | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
My 2 cents...
The bug/security issue as described is not reproducible.
My current understanding, based on Erno's update, is that the v2 registry doesn't 'fail securely' in the sense that if no X-Tenant-Id header is present by the time we get to the v2 registry in the pipeline then all images are returned.
We should verify this related behaviour on devstack by removing keystone auth from the registry pipeline and making a request directly to the v2 registry with no X-Tenant-Id header.
If it reproduces we should enter a new, non-security bug. (Non-security as there is no exploit when using keystone.)
I think the fix is to have the v2 registry return an empty list in the absence of a X-Tenant-Id header rather than all images.
We should look at the v1 registry to see how it behaves in the absence of a X-Tenant-Id header.
I'm not sure making the registry client send headers is what we want -- any user could potentially fake those headers with a curl command direct to the registry.