+OSSN-0065 suggested that this attack vector could be addressed by using
+policies, but that turned out not to be the case. The only way currently
+to close this vector is to deploy an internal-only-facing glance-api
+used by Nova and Cinder, with show_multiple_locations enabled, and an
+end-user-facing glance-api with show_multiple_locations disabled.
"The only way currently mitigate this vector is to deploy" The dual deployment does not close the attack vector, just limits it from external users. Without patching the gapi service code the only way to close this vector is to not enable "show_image_direct_url" nor "show_multiple_locations" and that way disable the locations API.
+OSSN-0065 suggested that this attack vector could be addressed by using only-facing glance-api locations enabled, and an locations disabled.
+policies, but that turned out not to be the case. The only way currently
+to close this vector is to deploy an internal-
+used by Nova and Cinder, with show_multiple_
+end-user-facing glance-api with show_multiple_
"The only way currently mitigate this vector is to deploy" The dual deployment does not close the attack vector, just limits it from external users. Without patching the gapi service code the only way to close this vector is to not enable "show_image_ direct_ url" nor "show_multiple_ locations" and that way disable the locations API.