Comment 2 for bug 1545702

Revision history for this message
Dan Smith (danms) wrote : Re: Images v2 api metadef vulnerability

I can confirm this locally in 2021 with a script to just create resources in a tight loop:

$ glance md-namespace-list | wc -l
$ glance md-namespace-resource-type-list bar1 | wc -l

(and still going)

I don't see any knobs to limit this, nor anywhere in the code that we attempt to cap the number of these objects we allow to be created. AFAICT, the policy for these are all open to regular users by default, which is not good.

I don't have permissions to set the importance of this bug, but despite the fact that this is five years old at this point, I'd rate this as non-trivial in terms of priority.