Comment 93 for bug 1546507

The open issues right now:
(0) Do we handle the "incurred" case in code, by script, or both?
(1) Mike/Fei Long's patches QA
(2) Tomoki's patch QA

I don't think we're going to make Liberty-EOL with this. That leaves Liberty installations vulnerable, unless they take the following steps:
(a) run a script to detect duplicate image locations and take appropriate action
(b) use two different glance nodes with separate policy and config files, one exposed to end-users and one exposed *only* to services. At a minimum, the public glance node must disallow the "set_image_location" policy for end-users.

(I need someone to verify that (a) and (b) are sufficient to block this exploit.)

So no matter how we decide on (0), it looks like we also need:
(3) script to detect duplicate image locations

As far as (3) goes, the script will have to detect duplicate locations in an arbitrary format (because an admin may have a workflow that puts the image in the backend first and then sets the image location). It will also have to handle "aliased" ceph locations (the two formats Mike mentions above). Are there any other requirements for this script that I'm missing?

Finally, I think we need to recommend that show_image_direct_url and show_multiple_locations *never* be exposed to end-users; any installation that wants to use these should run multiple Glance nodes as described in (b) above. Right now we say that these settings should be used with care because they are a security risk, but it would be good to suggest what "using with care" should look like.