[Bug 1521560] Re: User can delete any image
Viktor Křivák
viktor.krivak at gmail.com
Mon Dec 7 12:36:10 UTC 2015
Sorry I found my own mistake
in glance-registry-paste.ini i forgot to delete this line:
[pipeline:glance-registry-keystone]
pipeline = osprofiler unauthenticated-context registryapp
** Changed in: nova (Ubuntu)
Status: New => Invalid
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1521560
Title:
User can delete any image
Status in nova package in Ubuntu:
Invalid
Bug description:
Not sure if I don't have some typo in config but it is look like that
from Kilo, user can delete any image via nova API. Only uuid is
needed. Also user can list every image image in system even non public
which doesn't belong to him.
# Image info:
$ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2015-11-30T18:08:05Z |
| disk_format | qcow2 |
| hw_vif_model | e1000 |
| id | 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba |
| min_disk | 0 |
| min_ram | 0 |
| name | Cirros 0.3.4 |
| owner | d697f13bce95426d82179c216a8e3f1c |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2015-11-30T18:08:06Z |
| virtual_size | None |
| visibility | public |
+------------------+--------------------------------------+
# Notice it is just public image with owner (another as myself)
# My session
$openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-12-01T11:03:03.988742Z |
| id | ################################ |
| project_id | 873a42b1eb3a42768f6b702c55b5c932 |
| user_id | 37d0d3638ab243f786e68649fad84354 |
+------------+----------------------------------+
# And then this somehow works
$ nova image-delete 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
$ nova image-list
+--------------------------------------+---------------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+---------------------+--------+--------+
| 90678a27-c1e7-499b-9c06-bc6c01e100b3 | Debian 7 - Refstack | ACTIVE | |
| f851e1d7-9e17-4c6f-beda-de3b3ea40db1 | Debian 8 | ACTIVE | |
+--------------------------------------+---------------------+--------+--------+
$ nova image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
ERROR (CommandError): No image with a name or ID of '3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba' exists.
$ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
404 Not Found: No image found with ID 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba (HTTP 404)
Glance always correctly return 404 but nova delete it even if I'm just a member.
If I don't have any mistake in config this is serious security bug, because anyone can delete any image.
My opinion is that nova call glance internally as admin and it don't do any additional controls of permission.
Quick fix can be just add filter to nova/image/api.py
My nova version: 2015.1.2-2 (Kilo)
Test on Debian GNU/Linux 8.2 (jessie) but I think this bug is general
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1521560/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list