The fix for this was released back in 2018 it seems. Closing the bug.
** Changed in: glance
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1799588
Title:
default paste_deploy.flavor is none, but config file text implies it
is 'keystone' (was: non-admin users can see all tenants' images even
when image is private)
Status in Glance:
Fix Released
Status in OpenStack Security Advisory:
Incomplete
Bug description:
[root@vm013 glance]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@vm013 glance]# rpm -qa |grep glance |sort
openstack-glance-16.0.1-1.el7.noarch
openstack-glance-doc-16.0.1-1.el7.noarch
python2-glanceclient-2.10.0-1.el7.noarch
python2-glance-store-0.23.0-1.el7.noarch
python-glance-16.0.1-1.el7.noarch
python-glanceclient-doc-2.10.0-1.el7.noarch
[root@vm013 glance]# md5sum /etc/glance/policy.json
a4f29d0f75bbc04f1d83a1abdf0fda6f /etc/glance/policy.json
I am running only Glance v2 API.
In this demo, as an un-privileged user, I will list all glance images,
from all tenants, and they are all marked 'private'.
(as admin):
[root@vm013 ~]# openstack role assignment list --effective --names |grep
jonathan
| user | jonathan@Default | | ozoneaq@ndc | |
False |
(as jonathan):
[root@vm013 ~]# . keystonerc_jonathan
[root@vm013 ~]# printenv |grep OS_ |sort
OS_AUTH_URL=https://keystone.gpcprod:5000/v3
OS_CACERT=/etc/openldap/cacerts/gpcprod_root_ca.pem
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=XXXXXXXXXXXXXXXXXX
OS_PROJECT_DOMAIN_NAME=NDC
OS_PROJECT_NAME=ozoneaq
OS_USER_DOMAIN_NAME=Default
OS_USERNAME=jonathan
OS_VOLUME_API_VERSION=3
[root@vm013 ~]# openstack image list
+--------------------------------------+-----------------------------------+--------+
| ID | Name |
Status |
+--------------------------------------+-----------------------------------+--------+
| 0099a343-1376-49f4-85f9-795624fb2ce8 | CentOS-7-x86_64-GenericCloud-1808 |
active |
| 53d7c007-318b-4dad-b7cb-38b1dd31f884 | Ubuntu1604-180919 |
active |
| 482f52ca-e56c-4555-a0e3-93eb491db389 | Ubuntu1604-20181016 |
active |
| 212aaf3c-18f6-4327-8a11-c726c2e21780 | Ubuntu1804-20181016 |
active |
| 051d2fff-6b90-4321-9c64-c613f0ddf3da | Windows2016Std-20181003r4 |
active |
| ac6baa7c-fd2f-48e2-84e0-37a86f623e38 | Windows2016std-20181003r2 |
active |
| 2264c6b9-40e7-492d-a5bc-dd11a7b4ee10 | Windows2016std-20181004 |
active |
| 6d865748-ae7a-4c43-9d01-bc35c9002fd9 | Windows2016std-20181004r2 |
active |
| 26ba1766-aa67-4b1b-81cd-90dda8d41384 | WindowsServer2016-20180926 |
active |
| 3fc3c155-c7a2-4556-a5d0-de7eff208d7d | WindowsStd2016-20181010 |
active |
| b6d161ca-e03b-46c5-95a0-5fe31723c5c7 | centos7-201810100 |
active |
| 8bdc33be-1eb5-429b-b0ca-682b24df45f0 | centos7-gi-build-test1 |
active |
| 34a915b8-cca6-45c3-9348-5e15dace444f | cirros |
active |
| 84102d5c-1641-47bb-b727-a59e707e871c | keyshotslave-1604-snap2 |
active |
| cedf9ae7-6adc-44d4-b7cb-d5664ea3fef0 | keyshotslave1604-snap1 |
active |
| be4dbd67-d56f-41dd-8378-8aa6ca064f55 | mm-cirros-test |
active |
| be67cf99-b545-4a91-a3d8-fe9f26a8854d | mm-cirros-test2 |
active |
| a8dfd028-5911-4178-a77d-bb3da8996372 | mm-test-image4 |
active |
| b6d9d44d-2e3c-48a9-9bf5-b6fca20979f9 | testt2-snap |
active |
| 1c401eea-0e6e-475b-9a46-ffbfb388ca35 | ubuntu1804-180919 |
active |
+--------------------------------------+-----------------------------------+--------+
[root@vm013 ~]# openstack image show cirros
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| checksum | 443b7623e27ecf03dc9e01ee93f67afe
|
| container_format | bare
|
| created_at | 2018-09-17T13:43:13Z
|
| disk_format | raw
|
| file | /v2/images/34a915b8-cca6-45c3-9348-5e15dace444f/file
|
| id | 34a915b8-cca6-45c3-9348-5e15dace444f
|
| min_disk | 0
|
| min_ram | 0
|
| name | cirros
|
| owner | 6e6d8ff081014c679f18ad4b818ffd4c
|
| properties |
direct_url='file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f',
locations='[{u'url':
u'file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f',
u'metadata': {u'mountpoint': u'/var/lib/glance/images', u'type': u'nfs', u'id':
u'gpc-b32-na-01', u'share_location': u'nfs://gpc-b32-na-01/glance'}}]' |
| protected | False
|
| schema | /v2/schemas/image
|
| size | 12716032
|
| status | active
|
| tags |
|
| updated_at | 2018-09-17T13:49:18Z
|
| virtual_size | None
|
| visibility | private
|
+------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
So you can see that my un-privileged user jonathan (role:user) just displayed
the private image 'cirros' from tenant 6e6d8ff081014c679f18ad4b818ffd4c. User
'jonathan' is not a member of that tenant.
(as admin):
[root@vm013 ~]# openstack project list |grep 6e6d8ff081014c679f18ad4b818ffd4c
| 6e6d8ff081014c679f18ad4b818ffd4c | gpcadm |
Perhaps even stranger, as my admin user (role:admin, in admin tenant), I
cannot set the visibility of an image to 'public':
[root@vm013 ~]# openstack image set --public cirros
403 Forbidden: You are not authorized to complete publicize_image action.
(HTTP 403)
My /etc/glance/policy.json is identical to the reference one, here:
https://raw.githubusercontent.com/openstack/glance/master/etc/policy.json
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1799588/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
