Glance

Bug #1916922
Comment #0

Comment 0 for bug 1916922

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2021-02-25: Glance leaks resource types across namespaces

As a user of a project, I can see resource types associated to private namespaces I don't have access to:

Now as a separate user

As a user of a project, I can see resource types associated to private namespaces I don't have access to:

╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ source alicerc                       
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ openstack token issue                
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2021-02-25T16:54:12+0000                                                                                                                                                                |
| id         | gAAAAABgN8gkFiVP108Fi8-OaWdPklyi0_UN3UrEE_q4d5HGqYXFZy5rZ5Mf_MUnAJx-VFJmBMXsM_pxQDyP07O8R8rBHNC6hhayqRXnwCDg6LGAwdYP9kJP5Fcx2_2WHmeqdXwLwc7I88XP7v1SJqjkb0D0JEFYoPq4qne4Jk9Raq5JaJ-DKUo |
| project_id | 67f1495e5dc145abbfa7059c63c6eda2                                                                                                                                                        |
| user_id    | 91cdb182eaf841f4869e66d6b0f0f32a                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ glance md-namespace-list             
+------------------------------------------+ 
| namespace                                |
+------------------------------------------+                                                                                                                                                          
| OS::Software::DBMS                       |                                               
| CIM::ResourceAllocationSettingData       | 
| OS::Compute::CPUPinning                  |                                                                                                                                                                                                                                                                                                                                                                
| OS::Compute::Watchdog                    |                                                                                                                                                                                                                                                                                                                                                                
| OS::Compute::GuestMemoryBacking          |                                                                                                                                                                                                                                                                                                                                                                
| OS::Compute::AggregateDiskFilter         |                                                                                                                                                                                                                                                                                                                                                                
| OS::Compute::RandomNumberGenerator       |
| OS::Compute::Hypervisor                  |              
| OS::Compute::AggregateIoOpsFilter        | 
| OS::Compute::VirtCPUTopology             |                                                                                                                                                                                                                                                                                                                                                                
| OS::Compute::HostCapabilities            |                                                                                                                                                          
| CIM::ProcessorAllocationSettingData      |                                               
| OS::Compute::GuestShutdownBehavior       | 
| OS::Cinder::Volumetype                   |                                                                                                                                                                                                                                                                                                                                                                
| OS::Software::WebServers                 |
| OS::Compute::Libvirt                     |
| OS::Compute::XenAPI                      |
| OS::Compute::Quota                       |
| OS::Compute::VMwareFlavor                |
| OS::Compute::VMwareQuotaFlavor           |
| OS::Compute::InstanceData                |
| OS::Compute::LibvirtImage                | 
| OS::Compute::AggregateNumInstancesFilter |                                       
| OS::Glance::Signatures                   |
| CIM::VirtualSystemSettingData            |
| CIM::StorageAllocationSettingData        |
| OS::Software::Runtimes                   |
| OS::Compute::VMware                      |
+------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ glance md-namespace-create alice-namespace 
+------------+----------------------------------+
| Property   | Value                            |
+------------+----------------------------------+
| created_at | 2021-02-25T15:55:55Z             |
| namespace  | alice-namespace                  |
| owner      | 67f1495e5dc145abbfa7059c63c6eda2 |
| protected  | False                            |
| schema     | /v2/schemas/metadefs/namespace   |
| updated_at | 2021-02-25T15:55:55Z             |
| visibility | private                          |
+------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ glance md-resource-type-associate --name alice-resource-type alice-namespace
+------------+----------------------+
| Property   | Value                |
+------------+----------------------+
| created_at | 2021-02-25T15:57:29Z |
| name       | alice-resource-type  |
| updated_at | 2021-02-25T15:57:29Z |
+------------+----------------------+

Now as a separate user