[glance] [ops] Issue sharing an image with another project (something related to get_image_location)
I have a small Rocky installation where Glance is configured with 2 backends (old images use the 'file' backend while new ones use the rbd backend, which is the default) show_multiple_locations is true but I have these settings in policy.json: # grep _image_location /etc/glance/policy.json "delete_image_location": "role:admin", "get_image_location": "role:admin", "set_image_location": "role:admin", This was done because of: https://wiki.openstack.org/wiki/OSSN/OSSN-0065 If an unpriv user tries to share a private image: $ openstack image add project 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 e81df4c0b493439abb8b85bfd4cbe071 403 Forbidden: Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6. (HTTP 403) In the log file it looks like that the problem is related to the get_image_location operation: /var/log/glance/api.log:2019-04-29 16:06:54.523 8220 WARNING glance.api.v2.image_members [req-dd93cdc9-767d-4c51-8e5a-edf746c02264 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default default] Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6.: Forbidden: You are not authorized to complete get_image_location action. But actually the sharing operation succeeded: $ glance member-list --image-id 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 +--------------------------------------+----------------------------------+---------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+---------+ | 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 | e81df4c0b493439abb8b85bfd4cbe071 | pending | +--------------------------------------+----------------------------------+---------+ Cheers, Massimo
(Apologies for top-posting.) Hi Massimo, Two things: (1) Please file a glance bug for this. I didn't think the sharing code would touch image locations, but apparently it does. In the bug report, please include your policy settings for *_location and *_member, and also the output of an image-show call for the image you're trying to share, and the log extract. (2) With the policy settings you have for *_location, I don't think that any regular (non-admin) user will be able to download an image or boot an instance from an image, so you should verify those operations. Given what I just said, how do you protect against OSSN-0065? The following is from the Rocky release notes [0] (which you may not have seen; this item was merged after 17.0.0, and we haven't done a point release, so they're only available online): "The show_multiple_locations configuration option remains deprecated in this release, but it has not been removed. (It had been scheduled for removal in the Pike release.) Please keep a watch on the Glance release notes and the glance-specs repository to stay informed about developments on this issue. "The plan is to eliminate the option and use only policies to control image locations access. This, however, requires some major refactoring. See the draft Policy Refactor spec [1] for more information. "There is no projected timeline for this change, as no one has been able to commit time to it. The Glance team would be happy to discuss this more with anyone interested in working on it. "The workaround is to continue to use the show_multiple_locations option in a dedicated “internal” Glance node that is not accessible to end users. We continue to recommend that image locations not be exposed to end users. See OSSN-0065 for more information." Sorry for the long quote, but I wanted to take this opportunity to remind people that "The Glance team would be happy to discuss this more with anyone interested in working on it". It's particularly relevant to anyone who will be at the PTG this week -- please look for the Glance team and get a discussion started, because I don't think this item is currently a priority for Train [2]. [0] https://docs.openstack.org/releasenotes/glance/rocky.html#known-issues [1] https://review.opendev.org/#/c/528021/ [2] https://wiki.openstack.org/wiki/PTG/Train/Etherpads On 4/29/19 8:43 AM, Massimo Sgaravatto wrote:
I have a small Rocky installation where Glance is configured with 2 backends (old images use the 'file' backend while new ones use the rbd backend, which is the default)
show_multiple_locations is true but I have these settings in policy.json:
# grep _image_location /etc/glance/policy.json "delete_image_location": "role:admin", "get_image_location": "role:admin", "set_image_location": "role:admin",
This was done because of: https://wiki.openstack.org/wiki/OSSN/OSSN-0065
If an unpriv user tries to share a private image:
$ openstack image add project 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 e81df4c0b493439abb8b85bfd4cbe071 403 Forbidden: Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6. (HTTP 403)
In the log file it looks like that the problem is related to the get_image_location operation:
/var/log/glance/api.log:2019-04-29 16:06:54.523 8220 WARNING glance.api.v2.image_members [req-dd93cdc9-767d-4c51-8e5a-edf746c02264 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default default] Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6.: Forbidden: You are not authorized to complete get_image_location action.
But actually the sharing operation succeeded:
$ glance member-list --image-id 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 +--------------------------------------+----------------------------------+---------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+---------+ | 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 | e81df4c0b493439abb8b85bfd4cbe071 | pending | +--------------------------------------+----------------------------------+---------+
Cheers, Massimo
Hi Brian Thanks for your A couple of answers in-line: On Wed, May 1, 2019 at 3:25 PM Brian Rosmaita <rosmaita.fossdev@gmail.com> wrote:
(Apologies for top-posting.)
Hi Massimo,
Two things:
(1) Please file a glance bug for this. I didn't think the sharing code would touch image locations, but apparently it does. In the bug report, please include your policy settings for *_location and *_member, and also the output of an image-show call for the image you're trying to share, and the log extract.
Sure: I will
(2) With the policy settings you have for *_location, I don't think that any regular (non-admin) user will be able to download an image or boot an instance from an image, so you should verify those operations.
Actually it works E.g.: $ openstack image show 7ebe160d-5498-477b-aa2e-94a6d962a075 +------------------+------------------------------------------------------------------------------+ | Field | Value | +------------------+------------------------------------------------------------------------------+ | checksum | b4548edf0bc476c50c083fb88717d92f | | container_format | bare | | created_at | 2018-01-15T16:14:35Z | | disk_format | qcow2 | | file | /v2/images/7ebe160d-5498-477b-aa2e-94a6d962a075/file | | id | 7ebe160d-5498-477b-aa2e-94a6d962a075 | | min_disk | 3 | | min_ram | 512 | | name | CentOS7 | | owner | 56c3f5c047e74a78a71438c4412e6e13 | | properties | locations='[]', os_hash_algo='None', os_hash_value='None', os_hidden='False' | | protected | False | | schema | /v2/schemas/image | | size | 877985792 | | status | active | | tags | | | updated_at | 2018-01-15T16:21:23Z | | virtual_size | None | | visibility | public | +------------------+------------------------------------------------------------------------------+ So locations are not showed, as expected, since I am a 'regular' (non-admin) user But I able to download the image: $ openstack image save --file ~/CentOS7.qcow2 7ebe160d-5498-477b-aa2e-94a6d962a075 $ ls -l ~/CentOS7.qcow2 -rw-r--r-- 1 sgaravat utenti 877985792 May 2 08:54 /home/sgaravat/CentOS7.qcow2 $ md5sum ~/CentOS7.qcow2 b4548edf0bc476c50c083fb88717d92f /home/sgaravat/CentOS7.qcow2 I am also able to launch an instance using this image Thanks, Massimo
On Thu, May 2, 2019 at 9:03 AM Massimo Sgaravatto < massimo.sgaravatto@gmail.com> wrote:
Hi Brian
Thanks for your A couple of answers in-line:
On Wed, May 1, 2019 at 3:25 PM Brian Rosmaita <rosmaita.fossdev@gmail.com> wrote:
(Apologies for top-posting.)
Hi Massimo,
Two things:
(1) Please file a glance bug for this. I didn't think the sharing code would touch image locations, but apparently it does. In the bug report, please include your policy settings for *_location and *_member, and also the output of an image-show call for the image you're trying to share, and the log extract.
Sure: I will
https://bugs.launchpad.net/glance/+bug/1827342 Thanks again, Massimo
participants (2)
-
Brian Rosmaita
-
Massimo Sgaravatto