glance v2 api: standard user can create public metadefs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Opinion
|
Undecided
|
Unassigned |
Bug Description
User 1 can create a new namespace with visibility 'public':
$ cat /tmp/ns.json
{"namespace": "NS1001", "visibility": "public"}
$ curl -X POST http://
The new namespace shows up in other users' namespace listing:
$ glance md-namespace-list
+-----
| namespace |
+-----
| NS1001 |
| OS::Compute:
| OS::Compute::VMware |
| OS::Compute:
| OS::Compute:
| OS::Compute:
| OS::Compute:
| OS::Compute:
This allows a regular user to spam all other users' namespace listing.
description: | updated |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.