Mirantis OpenStack

  1. Bug #1498615
  2. Comment #0

Comment 0 for bug 1498615

Revision history for this message
Alexey Galkin (agalkin) wrote : Enabled 'show_image_direct_url' by default in glance-api.conf

This commit https://review.openstack.org/#/c/99150 change 'show_image_direct_url' parameter to 'True', but paramer include the backend image storage location in image properties and revealing storage location can be a security risk, so use this setting with caution.

This is a potential vulnerability, for example consider the scenario:
We using a swift storage. Create image with new glance client (1.1.0), and receive message:

+------------------+----------------------------------------------------------------------------------+
| Property | Value |
 +------------------+----------------------------------------------------------------------------------+
| checksum | 10d838409df43a1e19922dbed2631400 |
| container_format | bare |
| created_at | 2015-08-11T10:18:29Z |
| direct_url | swift+http://services%3Aglance:EF3tluYM@192.168.0.2:5000/v2.0/glance/049cd701-77 |
| | f2-444b-ab04-4951a93df543 |
| disk_format | qcow2 |
| id | 049cd701-77f2-444b-ab04-4951a93df543 |
| min_disk | 0 |
| min_ram | 0 |
| name | ubuntu14(dont use it) |
| owner | 8ba1c622b05e48d086879976e255c5d8 |
| protected | False |
| size | 1725956096 |
| status | active |
| tags | [] |
| updated_at | 2015-08-14T20:38:28Z |
| visibility | public |
 +------------------+----------------------------------------------------------------------------------+

On this step we have a glance user credentials. After this we can escalate any user to admin privileges using glance credentials by keystone client.