Reviewed: https://review.openstack.org/85538 Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=ca9c7bbe279e15cd5b6c6e7d4ccb54cb579861e3 Submitter: Jenkins Branch: master
commit ca9c7bbe279e15cd5b6c6e7d4ccb54cb579861e3 Author: Tom Fifield <[email protected]> Date: Sat Apr 5 11:35:54 2014 +0800 Add a note that the glance-registry is internal Users could be confused into thinking the glance registry is an external-facing service. It is not, and is designed with a security model such that it should be protected for internal use only. This patch adds a note to the introduction in the common section so it will be included in multiple guides. Change-Id: Ic540353d82c829475ac6f3455ccccdea32977a4b Closes-Bug: 1252931 ** Changed in: openstack-manuals Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1252931 Title: Glance registry should not be exposed to users Status in OpenStack Image Registry and Delivery Service (Glance): Won't Fix Status in OpenStack Manuals: Fix Released Bug description: Using glance-registry v1 API from stable/havana The glance registry will expose the location of the image. If using the swift backend this will expose your swift credentials. My initial discovery of this was when using a stable/grizzly glance-api. Doing either a glance image-create or glance image-show exposes the location_data information of the image. It would seem that the data is being protected at the glance-api level and not the registry level. Havana glance-api protects the data Grizzly glance-api does not. I have confirmed this by using a standard users token (with Member role) with curl to do a request against the registry (stable/havana) curl -H "X-Auth-Token:TOKEN" http://glance-registry.dev:9191/images/f5bf9283-033b-46e1-972d-6884cbae48e5 | python -m json.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 761 100 761 0 0 4542 0 --:--:-- --:--:-- --:--:-- 4584 { "image": { "checksum": "ad53c72c06a08439f95b527f3184a726", "container_format": "bare", "created_at": "2013-11-11T02:30:35", "deleted": false, "deleted_at": null, "disk_format": "qcow2", "id": "f5bf9283-033b-46e1-972d-6884cbae48e5", "is_public": true, "location": "swift+http://service%3Aglance:[email protected]:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5";, "location_data": [ { "metadata": {}, "url": "swift+http://service%3Aglance:[email protected]:5000/v2.0/images/f5bf9283-033b-46e1-972d-6884cbae48e5"; } ], "min_disk": 0, "min_ram": 0, "name": "raring", "owner": "XXXXXX", "properties": {}, "protected": false, "size": 236322816, "status": "active", "updated_at": "2013-11-11T02:30:48" } } To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1252931/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
