I think by now this is safe to close as opinion. I don't see us doing the rate limiting on Glance side, but assume it being done on the loadbalancer or encryption termination level instead.
** Changed in: glance Status: Confirmed => Opinion -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1545092 Title: Images v2 api image-create vulnerability Status in Glance: Opinion Status in OpenStack Security Advisory: Opinion Status in OpenStack Security Notes: Fix Released Bug description: This report applies to all versions of Glance. The POST v2/images call creates an image (record) in 'queued' status. There is no limit enforced in glance on the number of images a single tenant may create, just on the total amount of storage a single user may consume [0]. Thus a user could either maliciously or by mistake clog up multiple database tables (images, image_properties, image_tags, image_members) with useless image records, thereby causing a denial of service. This is a concern because the approved 2016.0 DefCore specification requires the 'images-v2-index' capability [1, 2]. The tempest test for this capability functions by creating several image records and then checking the GET v2/images response to make sure all these records are returned [3]. Thus any cloud that wishes to qualify under 2016.01 must expose POST v2/images to all end users, thereby exposing such clouds to this vulnerability, which could otherwise be mitigated by restricting POST v2/images to trusted users. [0] https://github.com/openstack/glance/blob/132906146dd74a2eeae67706e19e4fa44559bb8b/etc/glance-api.conf#L89 [1] https://github.com/openstack/defcore/blob/master/2016.01.json#L48 [2] https://github.com/openstack/defcore/blob/master/2016.01.json#L1391-L1412 [3] https://github.com/openstack/tempest/blob/df88737b9cdaabb5633b4fefb723676e71cd1af0/tempest/api/image/v2/test_images.py#L184-L191 To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1545092/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp