default paste_deploy.flavor is none, but config file text implies it is 'keystone' (was: non-admin users can see all tenants' images even when image is private)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Medium
|
Michael Moore | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[root@vm013 glance]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@vm013 glance]# rpm -qa |grep glance |sort
openstack-
openstack-
python2-
python2-
python-
python-
[root@vm013 glance]# md5sum /etc/glance/
a4f29d0f75bbc04
I am running only Glance v2 API.
In this demo, as an un-privileged user, I will list all glance images, from all tenants, and they are all marked 'private'.
(as admin):
[root@vm013 ~]# openstack role assignment list --effective --names |grep jonathan
| user | jonathan@Default | | ozoneaq@ndc | | False |
(as jonathan):
[root@vm013 ~]# . keystonerc_jonathan
[root@vm013 ~]# printenv |grep OS_ |sort
OS_AUTH_URL=https:/
OS_CACERT=
OS_IDENTITY_
OS_PASSWORD=
OS_PROJECT_
OS_PROJECT_
OS_USER_
OS_USERNAME=
OS_VOLUME_
[root@vm013 ~]# openstack image list
+------
| ID | Name | Status |
+------
| 0099a343-
| 53d7c007-
| 482f52ca-
| 212aaf3c-
| 051d2fff-
| ac6baa7c-
| 2264c6b9-
| 6d865748-
| 26ba1766-
| 3fc3c155-
| b6d161ca-
| 8bdc33be-
| 34a915b8-
| 84102d5c-
| cedf9ae7-
| be4dbd67-
| be67cf99-
| a8dfd028-
| b6d9d44d-
| 1c401eea-
+------
[root@vm013 ~]# openstack image show cirros
+------
| Field | Value |
+------
| checksum | 443b7623e27ecf0
| container_format | bare |
| created_at | 2018-09-
| disk_format | raw |
| file | /v2/images/
| id | 34a915b8-
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | 6e6d8ff081014c6
| properties | direct_
| protected | False |
| schema | /v2/schemas/image |
| size | 12716032 |
| status | active |
| tags | |
| updated_at | 2018-09-
| virtual_size | None |
| visibility | private |
+------
So you can see that my un-privileged user jonathan (role:user) just displayed the private image 'cirros' from tenant 6e6d8ff081014c6
(as admin):
[root@vm013 ~]# openstack project list |grep 6e6d8ff081014c6
| 6e6d8ff081014c6
Perhaps even stranger, as my admin user (role:admin, in admin tenant), I cannot set the visibility of an image to 'public':
[root@vm013 ~]# openstack image set --public cirros
403 Forbidden: You are not authorized to complete publicize_image action. (HTTP 403)
My /etc/glance/
Changed in glance: | |
milestone: | stein-2 → stein-rc1 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.