Comment 40 for bug 1990157

+OSSN-0065 suggested that this attack vector could be addressed by using
+policies, but that turned out not to be the case. The only way currently
+to close this vector is to deploy an internal-only-facing glance-api
+used by Nova and Cinder, with show_multiple_locations enabled, and an
+end-user-facing glance-api with show_multiple_locations disabled.

"The only way currently mitigate this vector is to deploy" The dual deployment does not close the attack vector, just limits it from external users. Without patching the gapi service code the only way to close this vector is to not enable "show_image_direct_url" nor "show_multiple_locations" and that way disable the locations API.