Comment 0 for bug 1916926

Revision history for this message
Lance Bragstad (lbragstad) wrote : Glance leaks namespace existence to unauthorized users

╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-02-25T14:11:38+0000 |
| id | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y |
| project_id | ed4fade2e2cd4be0932ef30357f6d7a1 |
| user_id | e83b2f50463c4959bcc00a96b52b2f86 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-show foo
+----------------------------+----------------------------------+
| Property | Value |
+----------------------------+----------------------------------+
| created_at | 2021-02-25T04:54:10Z |
| namespace | foo |
| owner | ed4fade2e2cd4be0932ef30357f6d7a1 |
| protected | False |
| resource_type_associations | ["bar"] |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T04:54:10Z |
| visibility | private |
+----------------------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name test foo
HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible.

This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke.