glance-manage db purge breaks image immutability promise
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Unassigned | ||
OpenStack Security Advisory |
Opinion
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Travis McPeak |
Bug Description
Using glance-manage db purge command opens possibility to recycle image-IDs.
When the row is deleted from the database the ID is not known by glance anymore and thus it's not unique during the deployment lifecycle. This opens possibility to following scenario:
1) End user boots VM from private/
2) Image owner deletes the image.
3) glance-manage db purge gets ran which deletes record that image has ever existed.
4) Either malicious user or someone unintentionally creates new image with same ID (being same user so having access to the image by owning it or it becoming public/
5) Same end user boots either snapshot from the original image or nova needs to migrate the VM to another host. Now the user's VM will be rebuilt on top of the new image. Worst case scenario the user had no idea that the image data changed in between.
This behavior breaks Glance image immutability promise that has bee stated that the data related to image ID that has gone active will never change.
We have two solutions for this. Either we introduce table to track the deleted image-IDs and get glance to cross check that during the image create or we leave it as is but issue notice/
This was partially discussed in the virtual glance midcycle meetup so it might not be justified to leave this as private but I wanted to leave that decision to VMT.
Changed in ossa: | |
status: | Incomplete → Opinion |
Changed in ossn: | |
assignee: | nobody → Travis McPeak (travis-mcpeak) |
Changed in ossn: | |
status: | New → Confirmed |
importance: | Undecided → High |
description: | updated |
I added Brian as we discussed about this yesterday and he is part of glance-coresec but did not have access to the bug.