Comment 0 for bug 1498163

About a year ago it was a vulnerability called 'Glance user storage quota bypass': https://security.openstack.org/ossa/OSSA-2015-003.html, where any user could overcome the quota and clog up the storage.
The fix was proposed in master and all other stable branches, but it turned out, that it doesn't completely remove the issue and any user still can exceed the quota.

It happens in case if user token is expired during file upload and when glance tries to update image status from 'saving' to 'active'. Then glance gets Unauthenticated exception from registry server and fails with 500 error. On the other side garbage file is left in storage.

Steps to reproduce mostly coincide with the related from the previous bug, but in general it is:
1. Set some value (like 1Gb) to user_storage_quota in glance-api.conf and restart the server.
2. Make sure that your token will expire soon, when you'll be able to create an image instance in DB and begin the upload, but the token will expire during it.
3. Create an image, begin the upload and quickly remove the image with 'glance image-delete'.
4. After the upload check that image is not in the list, i.e. it's deleted, and file is still located in the store.
5. Perform steps 2-4 several times to make sure that user quota is exceeded.

Related script (test_images.py from here https://bugs.launchpad.net/glance/+bug/1398830) works fine, too, but it's better to reduce token life time in keystone config to 1 or 2 minutes, just for not to wait for one hour.

Glance api v2 is affected as well, but only if registry db_api is enabled.