Until a clear consensus about whenever this bug caused an actual
security vulnerability, the OSSA task is now Won't Fix.
** Changed in: ossa
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1522524
Title:
User can delete deactivated images
Status in Glance:
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Overview:
In glance once an admin has marked a image as deactivated a user can no
longer download or delete that image. This is so an image can be inspected by
the admins without the user interfering.
However, these restrictions can be avoided specifically allowing a user to
delete a deactivated image. Meaning an admin would not be able to guarantee the
status of a deactivated image.
What should happen: 403 What does happen: 200
How to reproduce:
1. Create an image.
echo test | glance image-create --name 3 --container-format bare
--disk-format raw
2. Deactivate the image.
glance image-deactivate 0630d5e4-6009-4723-94e6-1ad056ab649a
3. Check image is deactivated.
glance image-show 0630d5e4-6009-4723-94e6-1ad056ab649a
4. Using the v1 API delete the image.
curl -X DELETE
http://localhost:9292/v1/images/0630d5e4-6009-4723-94e6-1ad056ab649a -H
'X-Auth-token: 108322e43f6346ebadb3c2fb72831913'
5. Image is now gone.
glance image-show 0630d5e4-6009-4723-94e6-1ad056ab649a
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1522524/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
