Open Stack

(Apologies for top-posting.)

Hi Massimo,

Two things:

(1) Please file a glance bug for this.  I didn't think the sharing code
would touch image locations, but apparently it does.  In the bug report,
please include your policy settings for *_location and *_member, and
also the output of an image-show call for the image you're trying to
share, and the log extract.

(2) With the policy settings you have for *_location, I don't think that
any regular (non-admin) user will be able to download an image or boot
an instance from an image, so you should verify those operations.  Given
what I just said, how do you protect against OSSN-0065?  The following
is from the Rocky release notes [0] (which you may not have seen; this
item was merged after 17.0.0, and we haven't done a point release, so
they're only available online):

"The show_multiple_locations configuration option remains deprecated in
this release, but it has not been removed. (It had been scheduled for
removal in the Pike release.) Please keep a watch on the Glance release
notes and the glance-specs repository to stay informed about
developments on this issue.

"The plan is to eliminate the option and use only policies to control
image locations access. This, however, requires some major refactoring.
See the draft Policy Refactor spec [1] for more information.

"There is no projected timeline for this change, as no one has been able
to commit time to it. The Glance team would be happy to discuss this
more with anyone interested in working on it.

"The workaround is to continue to use the show_multiple_locations option
in a dedicated “internal” Glance node that is not accessible to end
users. We continue to recommend that image locations not be exposed to
end users. See OSSN-0065 for more information."

Sorry for the long quote, but I wanted to take this opportunity to
remind people that "The Glance team would be happy to discuss this more
with anyone interested in working on it".  It's particularly relevant to
anyone who will be at the PTG this week -- please look for the Glance
team and get a discussion started, because I don't think this item is
currently a priority for Train [2].


[0] https://docs.openstack.org/releasenotes/glance/rocky.html#known-issues
[1] https://review.opendev.org/#/c/528021/
[2] https://wiki.openstack.org/wiki/PTG/Train/Etherpads

On 4/29/19 8:43 AM, Massimo Sgaravatto wrote:
> I have a small Rocky installation where Glance is configured with 2
> backends (old images use the 'file' backend while new ones use the rbd
> backend, which is the default)
> 
> 
> show_multiple_locations  is true but I have these settings in policy.json:
> 
> # grep _image_location /etc/glance/policy.json
>     "delete_image_location": "role:admin",
>     "get_image_location": "role:admin",
>     "set_image_location": "role:admin",
> 
> This was done because of:
> https://wiki.openstack.org/wiki/OSSN/OSSN-0065
> 
> 
> If an unpriv user tries to share a private image:
> 
> $ openstack image add project 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6
> e81df4c0b493439abb8b85bfd4cbe071
> 403 Forbidden: Not allowed to create members for image
> 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6. (HTTP 403)
> 
> In the log file it looks like that the problem is related to the
> get_image_location operation:
> 
> /var/log/glance/api.log:2019-04-29 16:06:54.523 8220 WARNING
> glance.api.v2.image_members [req-dd93cdc9-767d-4c51-8e5a-edf746c02264
> ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a -
> default default] Not allowed to create members for image
> 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6.: Forbidden: You are not authorized
> to complete get_image_location action.
> 
> 
> But actually the sharing operation succeeded:
> 
> $ glance member-list --image-id 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6
> +--------------------------------------+----------------------------------+---------+
> | Image ID                             | Member ID                     
>   | Status  |
> +--------------------------------------+----------------------------------+---------+
> | 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 |
> e81df4c0b493439abb8b85bfd4cbe071 | pending |
> +--------------------------------------+----------------------------------+---------+
> 
> 
> Cheers, Massimo