openstack-manuals

Glance registry should not be exposed to users

Bug #1252931 reported by Sam Morrison on 2013-11-20

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Glance	Won't Fix	Undecided	Unassigned
	openstack-manuals	Fix Released	Medium	Shaun McCance	openstack-manuals icehouse

Bug Description

Using glance-registry v1 API from stable/havana

The glance registry will expose the location of the image. If using the swift backend this will expose your swift credentials.

My initial discovery of this was when using a stable/grizzly glance-api. Doing either a glance image-create or glance image-show exposes the location_data information of the image.
It would seem that the data is being protected at the glance-api level and not the registry level. Havana glance-api protects the data Grizzly glance-api does not.

I have confirmed this by using a standard users token (with Member role) with curl to do a request against the registry (stable/havana)

curl -H "X-Auth-Token:TOKEN" http://glance-registry.dev:9191/images/f5bf9283-033b-46e1-972d-6884cbae48e5 | python -m json.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 761 100 761 0 0 4542 0 --:--:-- --:--:-- --:--:-- 4584
{
    "image": {
        "checksum": "ad53c72c06a08439f95b527f3184a726",
        "container_format": "bare",
        "created_at": "2013-11-11T02:30:35",
        "deleted": false,
        "deleted_at": null,
        "disk_format": "qcow2",
        "id": "f5bf9283-033b-46e1-972d-6884cbae48e5",
        "is_public": true,
        "location": "swift+http://service%3Aglance:<email address hidden>:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5",
        "location_data": [
            {
                "metadata": {},
                "url": "swift+http://service%3Aglance:<email address hidden>:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5"
            }
        ],
        "min_disk": 0,
        "min_ram": 0,
        "name": "raring",
        "owner": "XXXXXX",
        "properties": {},
        "protected": false,
        "size": 236322816,
        "status": "active",
        "updated_at": "2013-11-11T02:30:48"
    }
}

Tags:

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-11-20: Re: Glance registry exposed image location data

@Mark: can you confirm ? Looks a bit like bug 1098962 and bug 1135541

summary:	- Glance registy exposed image location data + Glance registry exposed image location data
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Mark Washenberger (markwash) wrote on 2013-12-06:

The registry is a private internal service meant only for use by the glance api. This bug is akin to saying "mysql exposed image location data". I believe it should be marked as Invalid or possibly WontFix.

Revision history for this message

Sam Morrison (sorrison) wrote on 2013-12-07:

OK I guess I didn't know that, because it has keystone middleware protecting it it gives the impression that this can be exposed like all the other openstack services.
You can also set an admin role for glance registry which gives the impression that if the user doesn't have this role then they shouldn't be able to get access to certain things.

I think this is fine to mark as invalid etc. but maybe there needs to be some docs somewhere as other people could potentially expose their registries without knowing the full impact.

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-12-09:

OK, I turned it into a public doc bug, so that we make sure this is properly documented... Thanks Sam!

summary:	- Glance registry exposed image location data + Glance registry should not be exposed to users
Changed in glance:
status:	New → Won't Fix
no longer affects:	ossa
information type:	Private Security → Public

Revision history for this message

Anne Gentle (annegentle) wrote on 2013-12-10:

I believe this should be documented in the Ops Guide and/or Cloud Administrator Guide and/or Security Guide, so a paragraph in a common section would be great.

Changed in openstack-manuals:
status:	New → Confirmed

Tom Fifield (fifieldt) on 2013-12-20

Changed in openstack-manuals:
importance:	Undecided → Medium
tags:	added: sec-guide

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-14: Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/80521

Changed in openstack-manuals:
assignee:	nobody → Vaidyanath (vaidyanath-m)
status:	Confirmed → In Progress

Revision history for this message

Vaidyanath (vaidyanath-m) wrote on 2014-03-14:

Sorry about that. i think this happened by mistake.
I would like to change the assignee and also would like to change the status

punal patel (punal-patel) on 2014-03-23

Changed in openstack-manuals:
assignee:	Vaidyanath (vaidyanath-m) → punal patel (punal-patel)
assignee:	punal patel (punal-patel) → nobody

Tom Fifield (fifieldt) on 2014-03-30

Changed in openstack-manuals:
status:	In Progress → Triaged
milestone:	none → icehouse

Tom Fifield (fifieldt) on 2014-04-05

Changed in openstack-manuals:
assignee:	nobody → Tom Fifield (fifieldt)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-05:

Fix proposed to branch: master
Review: https://review.openstack.org/85538

Changed in openstack-manuals:
status:	Triaged → In Progress

Revision history for this message

Tom Fifield (fifieldt) wrote on 2014-04-05:

https://review.openstack.org/85538

OpenStack Infra (hudson-openstack) on 2014-04-10

Changed in openstack-manuals:
assignee:	Tom Fifield (fifieldt) → Shaun McCance (shaunm-gnome)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-10: Fix merged to openstack-manuals (master)

#10

Reviewed: https://review.openstack.org/85538
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=ca9c7bbe279e15cd5b6c6e7d4ccb54cb579861e3
Submitter: Jenkins
Branch: master

commit ca9c7bbe279e15cd5b6c6e7d4ccb54cb579861e3
Author: Tom Fifield <email address hidden>
Date: Sat Apr 5 11:35:54 2014 +0800

Add a note that the glance-registry is internal

    Users could be confused into thinking the glance registry
    is an external-facing service. It is not, and is designed
    with a security model such that it should be protected for
    internal use only.

This patch adds a note to the introduction in the common section
so it will be included in multiple guides.

Change-Id: Ic540353d82c829475ac6f3455ccccdea32977a4b
Closes-Bug: 1252931

Changed in openstack-manuals:
status:	In Progress → Fix Released

Ricardo Toma (openstack-x) on 2014-09-18

Changed in glance:
assignee:	nobody → Ricardo (openstack-x)
assignee:	Ricardo (openstack-x) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Fix included in openstack/openstack-manuals 15.0.0

#11

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.