Comment 7 for bug 1308413
Revision history for this message
| Erno Kuvaja (jokke) wrote Re: TENANT2 can list the image belonging to TENANT1 while using v2 api with registry | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Correction to #6:
There is vulnerability in that behavior.
Summary so far:
The test fails as the tenant ID header is not passed down to Registry server from api/noauth.
Without tenant ID, registy+api combination provides all images from the database.
This is rare case as F.E. Keystone provides the tenant id from the token it authenticates, but missing that header, having corruption on it, someone being able to remove the header from the response OR having any auth module issue causing the header missing would grant access to all images on glance.