By default show_image_direct_url MUST be set to False
Bug #1822540 reported by
Pranali Deore
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Pranali Deore |
Bug Description
Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials.
Hence, this is set to 'False' by default in glance-api.conf from the beginning. Set this to True with EXTREME CAUTION and ONLY IF you know what you are doing.
Ref: https:/
In tripleo, this is set to "True" by default in patch[1]
[1]: https:/
But this should be requirement specific rather than setting to 'true' by default to prevent security risk.
Changed in tripleo: | |
assignee: | nobody → Pranali Deore (pranali-deore) |
Changed in tripleo: | |
milestone: | none → stein-rc1 |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: security-hardening |
Changed in tripleo: | |
milestone: | stein-rc1 → train-1 |
Changed in tripleo: | |
milestone: | train-1 → train-2 |
Changed in tripleo: | |
milestone: | train-2 → train-3 |
Changed in tripleo: | |
milestone: | train-3 → ussuri-1 |
Changed in tripleo: | |
milestone: | ussuri-1 → ussuri-2 |
Changed in tripleo: | |
milestone: | ussuri-2 → ussuri-3 |
Changed in tripleo: | |
milestone: | ussuri-3 → ussuri-rc3 |
Changed in tripleo: | |
status: | Triaged → Incomplete |
Changed in tripleo: | |
milestone: | ussuri-rc3 → victoria-1 |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
To post a comment you must log in.
Fix proposed to branch: master /review. opendev. org/c/openstack /tripleo- heat-templates/ +/863142
Review: https:/