Glance

Bug #1799588
Comment #2

Comment 2 for bug 1799588

Revision history for this message

Jonathan Mills (jonmills-t) wrote on 2018-10-24: Re: non-admin users can see all tenants' images even when image is private

This issue was posted to openstack-operators, where some responders said they were unable to duplicate the problem, and that's a big concern of mine. If it is a misconfiguration of my cluster, I still want to understand what went wrong and how to fix it, because this is a pretty serious problem. To shed a little light on our installation procedure, what we do is we provision our bare metal using xCAT, after which we apply RPM packages from the CentOS Cloud repo (http://mirror.centos.org/centos/7/cloud/x86_64/openstack-queens/) and configure services strictly according to the openstack docs (e.g. https://docs.openstack.org/glance/queens/install/install-rdo.html). We tweak the config files to use HTTPS and speak to our endpoints, etc, but there is really nothing exotic about our setup. We were running glance under uwsgi, behind apache+mod_proxy, but as part of our troubleshooting we reverted to using the openstack-glance-api systemd unit file that launches the old python2 eventlet -- there was no change in the exhibited behavior though.

This is our /etc/glance/glance-api.conf:

[DEFAULT]
show_image_direct_url = true
show_multiple_locations = true
location_strategy = store_type
enable_v1_api = false
enable_v2_api = true
enable_v1_registry = false
image_cache_dir = /var/lib/glance/images/image-cache
node_staging_uri = file:///var/lib/glance/images/tmp
use_user_token = true
auth_url = https://keystone.gpcprod:5000/v3
bind_host = 10.2.3.123
bind_port = 9292
workers = 6
http_keepalive = true
client_socket_timeout = 900
backlog = 4096
cert_file = /etc/glance/ssl/glance.pem
key_file = /etc/glance/ssl/glance.key
debug = true
log_file = /var/log/glance/api.log
log_dir = /var/log/glance
use_syslog = False
publish_errors = true
syslog_log_facility = LOG_USER
transport_url = rabbit://user@<email address hidden>:5671,user:<email address hidden>:5671,user:<email address hidden>:5671/

[cors]

[database]
connection = mysql+pymysql://glance:<email address hidden>/glance
connection_recycle_time=200

[glance_store]
stores = file,http
default_store = file
https_ca_certificates_file = /etc/openldap/cacerts/gpcprod_root_ca.pem
https_insecure = false
cinder_catalog_info = volumev3:cinderv3:publicURL
cinder_os_region_name = RegionOne
cinder_ca_certificates_file = /etc/openldap/cacerts/gpcprod_root_ca.pem
cinder_api_insecure = false
filesystem_store_metadata_file = /etc/glance/metadata.json
filesystem_store_datadir = /var/lib/glance/images
filesystem_store_file_perm = 0644
os_region_name=RegionOne

[image_format]
container_formats = ami,ari,aki,bare,ovf,ova
disk_formats = ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso

[keystone_authtoken]
auth_uri = https://keystone.gpcprod:5000/v3
auth_url = https://keystone.gpcprod:5000/v3
cafile = /etc/openldap/cacerts/gpcprod_root_ca.pem
insecure = false
region_name = RegionOne
memcached_servers = 10.2.3.117:11211,10.2.3.118:11211,10.2.3.119:11211
token_cache_time = 1800
revocation_cache_time = 1800
memcache_security_strategy = None
memcache_pool_dead_retry = 300
memcache_pool_socket_timeout = 3
auth_type=password
username = glance
password = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
project_domain_name = default
user_domain_name = default
project_name = service
identity_uri=https://keystone.gpcprod:5000/v3

[matchmaker_redis]
[oslo_concurrency]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
driver = messagingv2
topics = notifications

[oslo_messaging_rabbit]
amqp_durable_queues = false
ssl_version = TLSv1_2
ssl_key_file = /etc/glance/ssl/rabbitmq.key
ssl_cert_file = /etc/glance/ssl/rabbitmq.pem
ssl_ca_file = /etc/openldap/cacerts/gpcprod_root_ca.pem
ssl = true
rabbit_login_method = AMQPLAIN
rabbit_ha_queues = true
heartbeat_timeout_threshold = 0
heartbeat_rate = 2
notification_persistence = false
default_notification_exchange = ${control_exchange}_notification
notification_listener_prefetch_count = 100
default_notification_retry_attempts = -1
notification_retry_delay = 0.25
rpc_queue_expiration = 60
default_rpc_exchange = ${control_exchange}_rpc
rpc_reply_exchange = ${control_exchange}_rpc_reply
rpc_listener_prefetch_count = 100
rpc_reply_listener_prefetch_count = 100
rpc_reply_retry_attempts = -1
rpc_reply_retry_delay = 0.25
default_rpc_retry_attempts = -1
rabbit_notification_exchange=glance
rabbit_notification_topic=notifications

[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
policy_file = policy.json
enforce_scope = true
policy_default_rule = default

[paste_deploy]
[profiler]
[store_type_location_strategy]
store_type_preference = file,http

[task]
[taskflow_executor]

This issue was posted to openstack-operators, where some responders said they were unable to duplicate the problem, and that's a big concern of mine. If it is a misconfiguration of my cluster, I still want to understand what went wrong and how to fix it, because this is a pretty serious problem.  To shed a little light on our installation procedure, what we do is we provision our bare metal using xCAT, after which we apply RPM packages from the CentOS Cloud repo (http://mirror.centos.org/centos/7/cloud/x86_64/openstack-queens/) and configure services strictly according to the openstack docs (e.g. https://docs.openstack.org/glance/queens/install/install-rdo.html).  We tweak the config files to use HTTPS and speak to our endpoints, etc, but there is really nothing exotic about our setup.  We were running glance under uwsgi, behind apache+mod_proxy, but as part of our troubleshooting we reverted to using the openstack-glance-api systemd unit file that launches the old python2 eventlet -- there was no change in the exhibited behavior though.

This is our /etc/glance/glance-api.conf:

[DEFAULT]
show_image_direct_url = true
show_multiple_locations = true
location_strategy = store_type
enable_v1_api = false
enable_v2_api = true
enable_v1_registry = false
image_cache_dir = /var/lib/glance/images/image-cache
node_staging_uri = file:///var/lib/glance/images/tmp
use_user_token = true
auth_url = https://keystone.gpcprod:5000/v3
bind_host = 10.2.3.123
bind_port = 9292
workers = 6
http_keepalive = true
client_socket_timeout = 900
backlog = 4096
cert_file = /etc/glance/ssl/glance.pem
key_file = /etc/glance/ssl/glance.key
debug = true
log_file = /var/log/glance/api.log
log_dir = /var/log/glance
use_syslog = False
publish_errors = true
syslog_log_facility = LOG_USER
transport_url = rabbit://user@XXXXXX@rabbitmq1.gpcprod:5671,user:XXXXXX@rabbitmq2.gpcprod:5671,user:XXXXXXX@rabbitmq3.gpcprod:5671/

[cors]

[database]
connection = mysql+pymysql://glance:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX@mysql.gpcprod/glance
connection_recycle_time=200

[image_format]
container_formats = ami,ari,aki,bare,ovf,ova
disk_formats = ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso

[matchmaker_redis]
[oslo_concurrency]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
driver = messagingv2
topics = notifications

[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
policy_file = policy.json
enforce_scope = true
policy_default_rule = default

[paste_deploy]
[profiler]
[store_type_location_strategy]
store_type_preference = file,http

[task]
[taskflow_executor]