@lujiefsi: have you tried to do this directly to the Image API without involving horizon?
Glance has a system-wide 'image_property_quota' setting (default: 128) that limits the number of properties that can be added to a particular image. Additionally, there is a per-user 'image_count_total' that controls how many images can be held by a project. So there are some levers in place to control how much garbage someone can stuff into the DB. Since an unauthorized user can't create/update and image, and a user must be in some project, I don't know how much of a DOS you can do with this vector (though the default image property quota may be a bit high).
Looking at horizon, I think it passes the 'description' to glance as an additional image property:
https:/ /opendev. org/openstack/ horizon/ src/commit/ c528bfe84f25eef 17d808d635ff17c f95e7a8136/ openstack_ dashboard/ api/glance. py#L410- L426
@lujiefsi: have you tried to do this directly to the Image API without involving horizon?
Glance has a system-wide 'image_ property_ quota' setting (default: 128) that limits the number of properties that can be added to a particular image. Additionally, there is a per-user 'image_count_total' that controls how many images can be held by a project. So there are some levers in place to control how much garbage someone can stuff into the DB. Since an unauthorized user can't create/update and image, and a user must be in some project, I don't know how much of a DOS you can do with this vector (though the default image property quota may be a bit high).