Glance

  1. Bug #1916926
  2. Comment #20

Comment 20 for bug 1916926

Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Glance leaks namespace existence to unauthorized users

Based on the facts that:

1. the risk is only present when users keep sensitive data in metadefs and namespace names

2. it's not a core component of Glance's functionality (at least checking https://refstack.openstack.org/#/guidelines I don't see anything having to do with metadefs in either the required or advisory images-.* entries)

3. the guidance to operators is to disallow access in order to protect users from otherwise relying on it

I'm fine going ahead with direct publication and not providing advance private notification to downstream stakeholders (public service providers and distributors). This is a reasonable compromise, in order to avoid ending up in a situation where we've got a known problem feature exposed by default in the upcoming Wallaby release.

While the announcement may take some operators of existing deployments by surprise, and cause a bit of a scramble to turn off access to a feature some of their users could be relying on, it's still better that we move forward with changing the default in Glance as soon as possible so we can reduce future pain.