[Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

iain MacDonnell iain.macdonnell at oracle.com
Thu Oct 18 22:48:27 UTC 2018


That all looks fine.

I believe that the "default" policy applies in place of any that's not 
explicitly specified - i.e. "if there's no matching policy below, you 
need to have the admin role to be able to do it". I do have that line in 
my policy.json, and I cannot reproduce your problem (see below).

I'm not using domains (other than "default"). I wonder if that's a factor...

     ~iain


$ openstack user create --password foo user1
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | d18c0031ec56430499a2d690cb1f125c |
| name                | user1                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
$ openstack user create --password foo user2
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | be9f1061a5104abd834eabe98dff055d |
| name                | user2                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
$ openstack project create project1
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 826876d6d3724018bae6253c7f540cb3 |
| is_domain   | False                            |
| name        | project1                         |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+
$ openstack project create project2
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | b446b93ac6e24d538c1943acbdd13cb2 |
| is_domain   | False                            |
| name        | project2                         |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+
$ openstack role add --user user1 --project project1 _member_
$ openstack role add --user user2 --project project2 _member_
$ export OS_PASSWORD=foo
$ export OS_USERNAME=user1
$ export OS_PROJECT_NAME=project1
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--------------------------------------+--------+--------+
$ openstack image create --private image1
+------------------+------------------------------------------------------------------------------+
| Field            | Value 
                          |
+------------------+------------------------------------------------------------------------------+
| checksum         | None 
                          |
| container_format | bare 
                          |
| created_at       | 2018-10-18T22:17:41Z 
                          |
| disk_format      | raw 
                          |
| file             | 
/v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file 
     |
| id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 
                          |
| min_disk         | 0 
                          |
| min_ram          | 0 
                          |
| name             | image1 
                          |
| owner            | 826876d6d3724018bae6253c7f540cb3 
                          |
| properties       | locations='[]', os_hash_algo='None', 
os_hash_value='None', os_hidden='False' |
| protected        | False 
                          |
| schema           | /v2/schemas/image 
                          |
| size             | None 
                          |
| status           | queued 
                          |
| tags             | 
                          |
| updated_at       | 2018-10-18T22:17:41Z 
                          |
| virtual_size     | None 
                          |
| visibility       | private 
                          |
+------------------+------------------------------------------------------------------------------+
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
| 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
+--------------------------------------+--------+--------+
$ export OS_USERNAME=user2
$ export OS_PROJECT_NAME=project2
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--------------------------------------+--------+--------+
$ export OS_USERNAME=admin
$ export OS_PROJECT_NAME=admin
$ export OS_PASSWORD=xxx
$ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
$ export OS_USERNAME=user2
$ export OS_PROJECT_NAME=project2
$ export OS_PASSWORD=foo
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
| 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
+--------------------------------------+--------+--------+
$


On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS 
INTEGRA, INC.] wrote:
> openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
> 
> 
> openstack role add --user mike --user-domain default --project test user
> 
> my admin account is in the NDC domain with a different username.
> 
> 
> 
> /etc/glance/policy.json
> {
> 
> "context_is_admin":  "role:admin",
> "default": "role:admin",
> 
> <snip>
> 
> 
> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?
> 
> 
> Mike Moore, M.S.S.E.
>   
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>   
> Hydrogen fusion brightens my day.
>   
> 
> On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
> 
>      
>      I suspect that your non-admin user is not really non-admin. How did you
>      create it?
>      
>      What you have for "context_is_admin" in glance's policy.json ?
>      
>           ~iain
>      
>      
>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      INTEGRA, INC.] wrote:
>      > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>      >
>      >
>      >
>      > Mike Moore, M.S.S.E.
>      >
>      > Systems Engineer, Goddard Private Cloud
>      > Michael.D.Moore at nasa.gov
>      >
>      > Hydrogen fusion brightens my day.
>      >
>      >
>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
>      >
>      >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>      >
>      >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>      >
>      >      Mike Moore, M.S.S.E.
>      >
>      >      Systems Engineer, Goddard Private Cloud
>      >      Michael.D.Moore at nasa.gov
>      >
>      >      Hydrogen fusion brightens my day.
>      >
>      >
>      >      On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>      >
>      >
>      >
>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      >          INTEGRA, INC.] wrote:
>      >          > I’m seeing unexpected behavior in our Queens environment related to
>      >          > Glance image visibility. Specifically users who, based on my
>      >          > understanding of the visibility and ownership fields, should NOT be able
>      >          > to see or view the image.
>      >          >
>      >          > If I create a new image with openstack image create and specify –project
>      >          > <tenant> and –private a non-admin user in a different tenant can see and
>      >          > boot that image.
>      >          >
>      >          > That seems to be the opposite of what should happen. Any ideas?
>      >
>      >          Yep, something's not right there.
>      >
>      >          Are you sure that the user that can see the image doesn't have the admin
>      >          role (for the project in its keystone token) ?
>      >
>      >          Did you verify that the image's owner is what you intended, and that the
>      >          visibility really is "private" ?
>      >
>      >               ~iain
>      >
>      >          _______________________________________________
>      >          OpenStack-operators mailing list
>      >          OpenStack-operators at lists.openstack.org
>      >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>      >      _______________________________________________
>      >      OpenStack-operators mailing list
>      >      OpenStack-operators at lists.openstack.org
>      >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>      
> 



More information about the OpenStack-operators mailing list