Fix committed to glance-store, aiming bug to that as well. ** Project changed: glance => glance-store
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1354512 Title: Anonymous user can download public image through Swift Status in OpenStack Glance backend store-drivers library (glance_store): Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: When Glance uses Swift as backend, and Swift uses delay_auth_decision feature (for temporary urls, for example), anyone can download public images anonymously from Swift by direct url. Steps to reproduce: 1 Set delay_auth_decision = 1 in Swift's proxy-server.conf. Set default_store = swift swift_store_multi_tenant = True swift_store_create_container_on_put = True in Glance's glance-api.conf. 2 Create a public image. glance image-create --name fake_image --file <some_text_file_name> --is-public True You may use a text file to reproduce the error for descriptive reasons. Use the got image id at the next step. 3 Download created image by curl. curl <swift_endpoint>/glance_<image_id>/<image_id> See your file in the output. If swift_store_container in your glance-api.conf is not 'glance', use appropriate prefix in the command above. Glance set read ACL to '.r:*,.rlistings' for all public images. Thus since anyone has access into Swift (by delay_auth_decision parameter), anyone can download a public image. To manage notifications about this bug go to: https://bugs.launchpad.net/glance-store/+bug/1354512/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
