Comment 5 for bug 1555590

The multi-tenant swift store traditionally works by reusing the original user token.

In multi-tenant mode the image data is stored as a Swift object in the user's own Swift account. You need a valid user token to access the data.

The flow is:

A request, containing an 'X-Auth-Token: token123' hits the Glance server. The server performs token validation using the keystone middleware. If some metadata is needed to perform the operation the token is passed on to a request to the Glance registry. Again the registry will use the keystone middleware to validate the token.

The above is common for both ways of accessing the swift store (single tenant and multi tenant).

In the case of the multi-tenant store the 'location' for the image is now read from the glance database.

This might look like:

 swift+http://192.168.1.103:8080/v1/AUTH_1a93b08616534cfa88af4ecaf5dbb35d/glance_a785957a-1340-498c-9427-3a549fc06842/a785957a-1340-498c-9427-3a549fc06842

The location tells Glance the URL where the data lives. When the location has been set by Glance's code (rather than specified by the user) the URL will point to the user's Swift in the local region. A token is required to access the user's swift account, so the initial token is reused once more. Otherwise Swift would return a 401 when the request to access the data arrived.

This works fine when the location is safely generated by Glance. But when a user can manually specify any string for the location they can potentially do bad things.

Note: If swift is running with https the operator can configure Glance to do a full cert check with the swift server. That would prevent a bogus https location being used. I don't think that saves us here though. You can set swift+http rather than swift+https, so the cert options are probably just ignored.