Glance

non-admins can delete in-use images

Bug #1917469 reported by Felix Huettner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
In Progress
Medium
Felix Huettner

Bug Description

Hello everyone,

we have an issue in the following (simplified) setup:

* we have an user which is uploading images. This user only has default member rights and is not an admin
* the user is uploading new versions of the images regularly
* the user tries to delete previous versions of the images to clean up space. Some of the deletes fail if the image is still in use
* the user then disables such images to ensure that no new instances are spawned from it

When the user now tries to delete such disabled image they will always succeed. Independent if the image is acutally in use or not. The deletion only happens on the Database of glance. The image is still present in ceph.

Note that this issue does not happen if an admin tries to delete the disabled image. Then the image is correctly checked if it's still in use.

Some general information regarding the environment:

* Openstack release queens
* ceph as a backend of cinder and glance
* show_image_direct_url is enabled to allow direct clones

In order to reproduce the issue the following steps are necessary (please run with a non-admin user):

[root@openstackclient-5fc7564495-vstnc /]# openstack image create --file img.raw testimage
+------------------+---------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------------+---------------------------------------------------------------------------------------------------------------+
| checksum | 01e7d1515ee776be3228673441d449e6 |
| container_format | bare |
| created_at | 2021-03-02T14:09:38Z |
| disk_format | raw |
| file | /v2/images/b8a48536-4b46-4a7b-b0ed-2e818ace11a2/file |
| id | b8a48536-4b46-4a7b-b0ed-2e818ace11a2 |
| min_disk | 0 |
| min_ram | 0 |
| name | testimage |
| owner | 4e6fb48327204e94b0021d17f1544e08 |
| properties | direct_url='rbd://2a38b93e-cfd9-403c-b5fd-6fa26a58898e/glance-pool/b8a48536-4b46-4a7b-b0ed-2e818ace11a2/snap' |
| protected | False |
| schema | /v2/schemas/image |
| size | 117440512 |
| status | active |
| tags | |
| updated_at | 2021-03-02T14:09:44Z |
| virtual_size | None |
| visibility | shared |
+------------------+---------------------------------------------------------------------------------------------------------------+

[root@openstackclient-5fc7564495-vstnc /]# openstack volume create --image b8a48536-4b46-4a7b-b0ed-2e818ace11a2 --size 10 testvol

[root@openstackclient-5fc7564495-vstnc /]# openstack image delete b8a48536-4b46-4a7b-b0ed-2e818ace11a2
Failed to delete image with name or ID 'b8a48536-4b46-4a7b-b0ed-2e818ace11a2': 409 Conflict: Image b8a48536-4b46-4a7b-b0ed-2e818ace11a2 could not be deleted because it is in use: The image cannot be deleted because it is in use through the backend store outside of Glance. (HTTP 409)
Failed to delete 1 of 1 images.

[root@openstackclient-5fc7564495-vstnc /]# openstack image set --deactivate b8a48536-4b46-4a7b-b0ed-2e818ace11a2

[root@openstackclient-5fc7564495-vstnc /]# openstack image delete b8a48536-4b46-4a7b-b0ed-2e818ace11a2

[root@openstackclient-5fc7564495-vstnc /]# openstack image show b8a48536-4b46-4a7b-b0ed-2e818ace11a2
Could not find resource b8a48536-4b46-4a7b-b0ed-2e818ace11a2

The issue seems to also effect newer glance releases.
A fix is being developed at: https://review.opendev.org/c/openstack/glance/+/772872

Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

IMO image deactivation should be strictly admin operation only.
By design once image is deactivated then only admin has access to its location. So correct way to fix this issue is raise 403 Forbidden if any user other than admin tries to deletes the data.

Revision history for this message
Felix Huettner (felix.huettner) wrote :

This would however require all users who manage openstack images to be admin in glance.

In our case we have a regular job that pulls the latest ubuntu/debian/centos images and publishes then in glance using the workflow outlined above.
This job is run with a user that is a normal member of a normal project. It's only special permission is "publicize_image" that is applied by using a custom role.

Your suggestion would require the usage of a user who gets unrequired access to all other images and who could also modify them.

Also per default the deactivation and reactivation of a image is not an admin task and can be done by any normal user.

Revision history for this message
Erno Kuvaja (jokke) wrote :

The historical approach and IIRC the default is that users can deactivate their own images but any operation to the image data of deactivated image (including delete) is admin operation. The delete was specifically thought out case, to avoid situations where image is deactivated for admin investigation and malicious owner would delete and recreate the image to avoid the investigation.

You really should use the hidden images for the workflow you're describing as that was specifically designed ofr the use case you're describing in the bug.

Revision history for this message
Felix Huettner (felix.huettner) wrote :

Thanks very much for making me aware of the hidden images option, i did not yet know about that.
I will then abandon the Change and create a new one that disallows deletion of disabled images for normal users like Abhishek suggested.

Revision history for this message
Felix Huettner (felix.huettner) wrote :

New version of the fix is now here: https://review.opendev.org/c/openstack/glance/+/778951
(it depends on a change in tempest as it relied on the broken behaviour)

Abhishek Kekane (abhishek-kekane)
Changed in glance:
status: New → In Progress
assignee: nobody → Felix Huettner (felix.huettner)
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.