[ops][glance][security] looking for metadefs users

Abhishek Kekane akekane at redhat.com
Fri Mar 12 05:28:57 UTC 2021


On Fri, Mar 12, 2021 at 2:27 AM Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2021-03-11 14:22:21 -0600 (-0600), Ghanshyam Mann wrote:
> [...]
> > In a quick search, interop certification guidelines 1] also does
> > not use these API capabilities so changing to admin should be fine
> > from interop and so does from Tempest test modification point of
> > view.
> [...]
>
> Yep, if you check out the original bug reports leading up to the
> OSSN, we did at least confirm these were not part of any trademark
> program requirement before recommending that access be blocked. That
> was one of our deciding factors in the disclosure timeline.
> --
> Jeremy Stanley
>

Thanks to Sean and Belmiro for confirming how and where metadefs are used.
I think it makes more sense now to keep these metadef create/update/delete
APIs admin-only and grant read-only access to normal users. In the advisory
we should also specify that there is still a possibility of information
leak in this case.

Thanks and Regards,

Abhishek Kekane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210312/7dde1302/attachment.html>


More information about the openstack-discuss mailing list