Murano image properties are unprotected
Bug #1717439 reported by
Andy Botting
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Murano |
Fix Released
|
Undecided
|
Andy Botting |
Bug Description
Due to how Murano uses the murano_image_info glance property to determine what images to show to the user, it can be easily added by any user to insert their public image into the list of available images. This could potentially be used for malicious purposes in a public cloud.
We looked at using at Glance property protections, but this causes Glance to die when trying to snapshot a Murano instance, instead of just skipping the property, which is unacceptable.
In our situation, it would be really useful to be able to add custom image filters, especially to limit the list to images owned by a particular project.
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/504833
Review: https:/