Correction to #6:
There is vulnerability in that behavior.
Summary so far:
The test fails as the tenant ID header is not passed down to Registry server from api/noauth.
Without tenant ID, registy+api combination provides all images from the database.
This is rare case as F.E. Keystone provides the tenant id from the token it authenticates, but missing that header, having corruption on it, someone being able to remove the header from the response OR having any auth module issue causing the header missing would grant access to all images on glance.
Correction to #6:
There is vulnerability in that behavior.
Summary so far:
The test fails as the tenant ID header is not passed down to Registry server from api/noauth.
Without tenant ID, registy+api combination provides all images from the database.
This is rare case as F.E. Keystone provides the tenant id from the token it authenticates, but missing that header, having corruption on it, someone being able to remove the header from the response OR having any auth module issue causing the header missing would grant access to all images on glance.