Glance

  1. Series grizzly
  2. Bug #1065187
  3. Comment #12

Comment 12 for bug 1065187

Revision history for this message
Thierry Carrez (ttx) wrote : Re: Non-admin users can cause public glance images to be deleted from the backend storage repository

Essex has:
https://github.com/openstack/glance/blob/7fdccb1ada360b0ba8b69472477c5cedfa45bcda/glance/api/v1/images.py#L710
So unless req.context.read_only is set on non-admin requests, I guess it's vulnerable, please confirm.

Diablo has:
https://github.com/openstack/glance/blob/5b26c53c8e5143de37e270146d4ea9755c5c3f32/glance/api/v1/images.py#L598
which is very similar to Essex, so if Essex is vulnerable, Diablo will be.

Looks like a workaround for Folsom (apart from setting all images to protected) would be to refuse v1 API (enable_v1_api = False) as this seems to be v1-specific ?