Glance

Bug #1916926
Comment #0

Comment 0 for bug 1916926

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2021-02-25: Glance leaks namespace existence to unauthorized users

This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke.

╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ source openrc demo demo                                                                                                                                                                                                                                                                                                                                                                          
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ openstack token issue 
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2021-02-25T14:11:38+0000                                                                                                                                                                |
| id         | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y |
| project_id | ed4fade2e2cd4be0932ef30357f6d7a1                                                                                                                                                        |
| user_id    | e83b2f50463c4959bcc00a96b52b2f86                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ glance md-namespace-show foo
+----------------------------+----------------------------------+
| Property                   | Value                            |
+----------------------------+----------------------------------+
| created_at                 | 2021-02-25T04:54:10Z             |
| namespace                  | foo                              |
| owner                      | ed4fade2e2cd4be0932ef30357f6d7a1 |
| protected                  | False                            |
| resource_type_associations | ["bar"]                          |
| schema                     | /v2/schemas/metadefs/namespace   |
| updated_at                 | 2021-02-25T04:54:10Z             |
| visibility                 | private                          |
+----------------------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ source alicerc 
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤  $ glance md-resource-type-associate --name test foo
HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible.

This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke.