It does seem like this should be treated as a vulnerability. I took a look at the security advisories we have done this year, and this seems to be at the same level as some other DOS vulnerabilities we have fixed, including:
[OSSA 2012-003] Long server names grow nova-api log files significantly
[OSSA 2012-005] No quota enforced on security group rules
[OSSA 2012-009] Scheduler denial of service through scheduler_hints
For nova, I think a cap on image size makes sense. For glance, is that sufficient to stop someone from filling up disk space? Is there also a limit on how many images you can upload?
It does seem like this should be treated as a vulnerability. I took a look at the security advisories we have done this year, and this seems to be at the same level as some other DOS vulnerabilities we have fixed, including:
[OSSA 2012-003] Long server names grow nova-api log files significantly
[OSSA 2012-005] No quota enforced on security group rules
[OSSA 2012-009] Scheduler denial of service through scheduler_hints
For nova, I think a cap on image size makes sense. For glance, is that sufficient to stop someone from filling up disk space? Is there also a limit on how many images you can upload?