[Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] michael.d.moore at nasa.gov
Thu Oct 25 22:43:30 UTC 2018


I have dug deep into the code for glance, shoving debug outputs to see what I can find in our queens environment.

Here is my debug code (I have a lot more but this is the salient part)

        LOG.debug("in enforce(), action='%s', policyvalues='%s'", action, context.to_policy_values())
        return super(Enforcer, self).enforce(action, target,
                                             context.to_policy_values(),
                                             do_raise=True,
                                             exc=exception.Forbidden,
                                             action=action)

below is the output attempting to set an image that I own while being an admin to public via `openstack image set –public cirros`

2018-10-25 18:29:16.575 17561 DEBUG glance.api.policy [req-e343bb10-8ec8-40df-8c0c-47d1b217ca0d - - - - -] in enforce(), action='publicize_image', policyvalues='{'service_roles': [], 'user_id': None, 'roles': [], 'user_domain_id': None, 'service_project_id': None, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_domain_id': None, 'is_admin_project': True, 'user': None, 'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce /usr/lib/python2.7/site-packages/glance/api/policy.py:64

And here is what shows up when I `openstack image list`  as our test user (`jonathan`) that is NOT an admin

2018-10-25 18:32:24.841 17564 DEBUG glance.api.policy [req-22abdcf2-14cd-4680-8deb-e48902a7ddef - - - - -] in enforce(), action='get_images', policyvalues='{'service_roles': [], 'user_id': None, 'roles': [], 'user_domain_id': None, 'service_project_id': None, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_domain_id': None, 'is_admin_project': True, 'user': None, 'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce /usr/lib/python2.7/site-packages/glance/api/policy.py:64


The takeaway that I have is that in the case of get_images, is_admin_project is True, which is WRONG for that test but since it’s a read-only operation it’s content to shortcircuit and return all those images.

In the case of publicize_image, the is_admin_project being True isn’t enough, and when it checks user (which is None) it says NOPE.


So somehow for some reason glance APIs context is super duper wrong.


Mike Moore, M.S.S.E.

Systems Engineer, Goddard Private Cloud
Michael.D.Moore at nasa.gov<mailto:Michael.D.Moore at nasa.gov>

Hydrogen fusion brightens my day.

 <snip chain to let message go to group>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181025/3c83f247/attachment.html>


More information about the OpenStack-operators mailing list