Murano image properties are unprotected
Bug #1717439 reported by
Andy Botting
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Murano |
Fix Released
|
Undecided
|
Andy Botting | ||
Bug Description
Due to how Murano uses the murano_image_info glance property to determine what images to show to the user, it can be easily added by any user to insert their public image into the list of available images. This could potentially be used for malicious purposes in a public cloud.
We looked at using at Glance property protections, but this causes Glance to die when trying to snapshot a Murano instance, instead of just skipping the property, which is unacceptable.
In our situation, it would be really useful to be able to add custom image filters, especially to limit the list to images owned by a particular project.
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to murano-dashboard (master) | #1 |
| Changed in murano: | |
| assignee: | nobody → Andy Botting (andybotting) |
| status: | New → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to murano-dashboard (master) | #2 |
| Changed in murano: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/murano-dashboard 5.0.0.0b2 | #3 |
To post a comment you must log in.
Fix proposed to branch: master
Review: https:/