Glance registry should not be exposed to users

Bug #1252931 reported by Sam Morrison on 2013-11-20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Shaun McCance

Bug Description

Using glance-registry v1 API from stable/havana

The glance registry will expose the location of the image. If using the swift backend this will expose your swift credentials.

My initial discovery of this was when using a stable/grizzly glance-api. Doing either a glance image-create or glance image-show exposes the location_data information of the image.
It would seem that the data is being protected at the glance-api level and not the registry level. Havana glance-api protects the data Grizzly glance-api does not.

I have confirmed this by using a standard users token (with Member role) with curl to do a request against the registry (stable/havana)

curl -H "X-Auth-Token:TOKEN" | python -m json.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 761 100 761 0 0 4542 0 --:--:-- --:--:-- --:--:-- 4584
    "image": {
        "checksum": "ad53c72c06a08439f95b527f3184a726",
        "container_format": "bare",
        "created_at": "2013-11-11T02:30:35",
        "deleted": false,
        "deleted_at": null,
        "disk_format": "qcow2",
        "id": "f5bf9283-033b-46e1-972d-6884cbae48e5",
        "is_public": true,
        "location": "swift+http://service%3Aglance:<email address hidden>:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5",
        "location_data": [
                "metadata": {},
                "url": "swift+http://service%3Aglance:<email address hidden>:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5"
        "min_disk": 0,
        "min_ram": 0,
        "name": "raring",
        "owner": "XXXXXX",
        "properties": {},
        "protected": false,
        "size": 236322816,
        "status": "active",
        "updated_at": "2013-11-11T02:30:48"

@Mark: can you confirm ? Looks a bit like bug 1098962 and bug 1135541

summary: - Glance registy exposed image location data
+ Glance registry exposed image location data
Changed in ossa:
status: New → Incomplete
Mark Washenberger (markwash) wrote :

The registry is a private internal service meant only for use by the glance api. This bug is akin to saying "mysql exposed image location data". I believe it should be marked as Invalid or possibly WontFix.

Sam Morrison (sorrison) wrote :

OK I guess I didn't know that, because it has keystone middleware protecting it it gives the impression that this can be exposed like all the other openstack services.
You can also set an admin role for glance registry which gives the impression that if the user doesn't have this role then they shouldn't be able to get access to certain things.

I think this is fine to mark as invalid etc. but maybe there needs to be some docs somewhere as other people could potentially expose their registries without knowing the full impact.

Thierry Carrez (ttx) wrote :

OK, I turned it into a public doc bug, so that we make sure this is properly documented... Thanks Sam!

summary: - Glance registry exposed image location data
+ Glance registry should not be exposed to users
Changed in glance:
status: New → Won't Fix
no longer affects: ossa
information type: Private Security → Public
Anne Gentle (annegentle) wrote :

I believe this should be documented in the Ops Guide and/or Cloud Administrator Guide and/or Security Guide, so a paragraph in a common section would be great.

Changed in openstack-manuals:
status: New → Confirmed
Tom Fifield (fifieldt) on 2013-12-20
Changed in openstack-manuals:
importance: Undecided → Medium
tags: added: sec-guide

Fix proposed to branch: master

Changed in openstack-manuals:
assignee: nobody → Vaidyanath (vaidyanath-m)
status: Confirmed → In Progress
Vaidyanath (vaidyanath-m) wrote :

Sorry about that. i think this happened by mistake.
I would like to change the assignee and also would like to change the status

Changed in openstack-manuals:
assignee: Vaidyanath (vaidyanath-m) → punal patel (punal-patel)
assignee: punal patel (punal-patel) → nobody
Tom Fifield (fifieldt) on 2014-03-30
Changed in openstack-manuals:
status: In Progress → Triaged
milestone: none → icehouse
Tom Fifield (fifieldt) on 2014-04-05
Changed in openstack-manuals:
assignee: nobody → Tom Fifield (fifieldt)

Fix proposed to branch: master

Changed in openstack-manuals:
status: Triaged → In Progress
Changed in openstack-manuals:
assignee: Tom Fifield (fifieldt) → Shaun McCance (shaunm-gnome)

Submitter: Jenkins
Branch: master

commit ca9c7bbe279e15cd5b6c6e7d4ccb54cb579861e3
Author: Tom Fifield <email address hidden>
Date: Sat Apr 5 11:35:54 2014 +0800

    Add a note that the glance-registry is internal

    Users could be confused into thinking the glance registry
    is an external-facing service. It is not, and is designed
    with a security model such that it should be protected for
    internal use only.

    This patch adds a note to the introduction in the common section
    so it will be included in multiple guides.

    Change-Id: Ic540353d82c829475ac6f3455ccccdea32977a4b
    Closes-Bug: 1252931

Changed in openstack-manuals:
status: In Progress → Fix Released
Changed in glance:
assignee: nobody → Ricardo (openstack-x)
assignee: Ricardo (openstack-x) → nobody

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers