Comment 53 for bug 1546507
Revision history for this message
| Nikhil Komawar (nikhil-komawar) wrote Re: Regular user can delete any image file | #53 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
Related content to image-location bugs in his emails is as follows:
#######
---
Adoption of glance v2 in Nova requires to allow users to set custom locations for their images to be able to make snapshots on deployments with Ceph. https:/
Glance v2 implementation of custom locations has security threat and it's not recommended to use by anyone except administrators, because it allows users to replace location of their active images. (Bug https:/
mfedosin@wdev:~$ glance image-create --name good --disk-format qcow2 --container-format bare --visibility public
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2015-11-
| disk_format | qcow2 |
| id | 2a745d21-
| locations | [] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2015-11-
| virtual_size | None |
| visibility | public |
+------
mfedosin@wdev:~$ glance location-add 2a745d21-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2015-11-
| disk_format | qcow2 |
| file | /v2/images/
| id | 2a745d21-
| locations | [{"url": "https:/
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-
| virtual_size | None |
| visibility | public |
+------
mfedosin@wdev:~$ glance image-download 2a745d21-
mfedosin@wdev:~$ cat ooo
I'm really good image.
mfedosin@wdev:~$ glance location-add 2a745d21-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2015-11-
| disk_format | qcow2 |
| file | /v2/images/
| id | 2a745d21-
| locations | [{"url": "https:/
| | {}}, {"url": "https:/
| | {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good |
| owner | f3b42d4b90d840b
| protected | False |
| schema | /v2/schemas/image |
| size | 43 |
| status | active |
| tags | [] |
| updated_at | 2015-11-
| virtual_size | None |
| visibility | public |
+------
mfedosin@wdev:~$ glance location-delete 2a745d21-
mfedosin@wdev:~$ glance image-download 2a745d21-
mfedosin@wdev:~$ cat ooo
All your base are belong to us! Muahahaha!
This behavior breaks the promise that images are immutable, because user can easily modify them. The solution is to limit number of possible locations to 1, but it may break some deployments that use this feature with multiple locations.
Another issue he finds is:
Glance v2 is able to show image location to end user. Like in case 2 this feature has to be activated to allow user make snapshots on ceph deployments. If user knows private location url, then he can create own image and set this location there. Then, if user deletes his image, the original data will be deleted as well. Example:
User gets list of images:
mfedosin@winter ~ $ glance image-list
+------
| ID | Name |
+------
| 0741cbc7-
| 2e4b6dca-
| 39599dd3-
| 153397f8-
+------
User requests info about public image he wants to delete:
mfedosin@winter ~ $ glance image-show 2e4b6dca-
+------
| Property | Value |
+------
| checksum | ee1eca47dc88f48
| container_format | bare |
| created_at | 2016-02-
| direct_url | rbd://647f7ae8-
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | 2e4b6dca-
| min_disk | 0 |
| min_ram | 64 |
| name | TestVM |
| owner | 1c6cea59a605437
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-
| virtual_size | None |
| visibility | public |
+------
Optional: User may try to download image file with "glance image-download 2e4b6dca-
User copies direct image url: from 'direct_url' or 'locations' field
rbd://647f7ae8-
User creates new image instance in db and sets custom location with "glance --os-image-
mfedosin@winter ~ $ glance --os-image-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2016-02-
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | b12c6965-
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47c
| protected | False |
| size | 13287936 |
| status | active |
| updated_at | 2016-02-
| virtual_size | None |
+------
Optional: User may try to verify that image has desired location
mfedosin@winter ~ $ glance image-show b12c6965-
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2016-02-
| direct_url | rbd://647f7ae8-
| | 4463cd7038de/snap |
| disk_format | qcow2 |
| id | b12c6965-
| min_disk | 0 |
| min_ram | 0 |
| name | rerere |
| owner | fa343a042d2b47c
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2016-02-
| virtual_size | None |
| visibility | private |
+------
User deletes his image. Image data will be deleted too.
glance image-delete b12c6965-
mfedosin@winter ~ $ glance image-delete b12c6965-
mfedosin@winter ~ $ glance image-show b12c6965-
404 Not Found: No image found with ID b12c6965-
Trying to access public data will failed after that.
There is a fix for that (https:/
---