Yes, since this bug is only valid for branches which are no longer in a maintained state, there is little point in issuing an advisory.
** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1799588 Title: default paste_deploy.flavor is none, but config file text implies it is 'keystone' (was: non-admin users can see all tenants' images even when image is private) Status in Glance: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: [root@vm013 glance]# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) [root@vm013 glance]# rpm -qa |grep glance |sort openstack-glance-16.0.1-1.el7.noarch openstack-glance-doc-16.0.1-1.el7.noarch python2-glanceclient-2.10.0-1.el7.noarch python2-glance-store-0.23.0-1.el7.noarch python-glance-16.0.1-1.el7.noarch python-glanceclient-doc-2.10.0-1.el7.noarch [root@vm013 glance]# md5sum /etc/glance/policy.json a4f29d0f75bbc04f1d83a1abdf0fda6f /etc/glance/policy.json I am running only Glance v2 API. In this demo, as an un-privileged user, I will list all glance images, from all tenants, and they are all marked 'private'. (as admin): [root@vm013 ~]# openstack role assignment list --effective --names |grep jonathan | user | jonathan@Default | | ozoneaq@ndc | | False | (as jonathan): [root@vm013 ~]# . keystonerc_jonathan [root@vm013 ~]# printenv |grep OS_ |sort OS_AUTH_URL=https://keystone.gpcprod:5000/v3 OS_CACERT=/etc/openldap/cacerts/gpcprod_root_ca.pem OS_IDENTITY_API_VERSION=3 OS_PASSWORD=XXXXXXXXXXXXXXXXXX OS_PROJECT_DOMAIN_NAME=NDC OS_PROJECT_NAME=ozoneaq OS_USER_DOMAIN_NAME=Default OS_USERNAME=jonathan OS_VOLUME_API_VERSION=3 [root@vm013 ~]# openstack image list +--------------------------------------+-----------------------------------+--------+ | ID | Name | Status | +--------------------------------------+-----------------------------------+--------+ | 0099a343-1376-49f4-85f9-795624fb2ce8 | CentOS-7-x86_64-GenericCloud-1808 | active | | 53d7c007-318b-4dad-b7cb-38b1dd31f884 | Ubuntu1604-180919 | active | | 482f52ca-e56c-4555-a0e3-93eb491db389 | Ubuntu1604-20181016 | active | | 212aaf3c-18f6-4327-8a11-c726c2e21780 | Ubuntu1804-20181016 | active | | 051d2fff-6b90-4321-9c64-c613f0ddf3da | Windows2016Std-20181003r4 | active | | ac6baa7c-fd2f-48e2-84e0-37a86f623e38 | Windows2016std-20181003r2 | active | | 2264c6b9-40e7-492d-a5bc-dd11a7b4ee10 | Windows2016std-20181004 | active | | 6d865748-ae7a-4c43-9d01-bc35c9002fd9 | Windows2016std-20181004r2 | active | | 26ba1766-aa67-4b1b-81cd-90dda8d41384 | WindowsServer2016-20180926 | active | | 3fc3c155-c7a2-4556-a5d0-de7eff208d7d | WindowsStd2016-20181010 | active | | b6d161ca-e03b-46c5-95a0-5fe31723c5c7 | centos7-201810100 | active | | 8bdc33be-1eb5-429b-b0ca-682b24df45f0 | centos7-gi-build-test1 | active | | 34a915b8-cca6-45c3-9348-5e15dace444f | cirros | active | | 84102d5c-1641-47bb-b727-a59e707e871c | keyshotslave-1604-snap2 | active | | cedf9ae7-6adc-44d4-b7cb-d5664ea3fef0 | keyshotslave1604-snap1 | active | | be4dbd67-d56f-41dd-8378-8aa6ca064f55 | mm-cirros-test | active | | be67cf99-b545-4a91-a3d8-fe9f26a8854d | mm-cirros-test2 | active | | a8dfd028-5911-4178-a77d-bb3da8996372 | mm-test-image4 | active | | b6d9d44d-2e3c-48a9-9bf5-b6fca20979f9 | testt2-snap | active | | 1c401eea-0e6e-475b-9a46-ffbfb388ca35 | ubuntu1804-180919 | active | +--------------------------------------+-----------------------------------+--------+ [root@vm013 ~]# openstack image show cirros +------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | checksum | 443b7623e27ecf03dc9e01ee93f67afe | | container_format | bare | | created_at | 2018-09-17T13:43:13Z | | disk_format | raw | | file | /v2/images/34a915b8-cca6-45c3-9348-5e15dace444f/file | | id | 34a915b8-cca6-45c3-9348-5e15dace444f | | min_disk | 0 | | min_ram | 0 | | name | cirros | | owner | 6e6d8ff081014c679f18ad4b818ffd4c | | properties | direct_url='file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', locations='[{u'url': u'file:///var/lib/glance/images/34a915b8-cca6-45c3-9348-5e15dace444f', u'metadata': {u'mountpoint': u'/var/lib/glance/images', u'type': u'nfs', u'id': u'gpc-b32-na-01', u'share_location': u'nfs://gpc-b32-na-01/glance'}}]' | | protected | False | | schema | /v2/schemas/image | | size | 12716032 | | status | active | | tags | | | updated_at | 2018-09-17T13:49:18Z | | virtual_size | None | | visibility | private | +------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ So you can see that my un-privileged user jonathan (role:user) just displayed the private image 'cirros' from tenant 6e6d8ff081014c679f18ad4b818ffd4c. User 'jonathan' is not a member of that tenant. (as admin): [root@vm013 ~]# openstack project list |grep 6e6d8ff081014c679f18ad4b818ffd4c | 6e6d8ff081014c679f18ad4b818ffd4c | gpcadm | Perhaps even stranger, as my admin user (role:admin, in admin tenant), I cannot set the visibility of an image to 'public': [root@vm013 ~]# openstack image set --public cirros 403 Forbidden: You are not authorized to complete publicize_image action. (HTTP 403) My /etc/glance/policy.json is identical to the reference one, here: https://raw.githubusercontent.com/openstack/glance/master/etc/policy.json To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1799588/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp