Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Thu, 25 Oct 2018 15:48:01 -0700 

I have dug deep into the code for glance, shoving debug outputs to see what I 
can find in our queens environment.

Here is my debug code (I have a lot more but this is the salient part)

        LOG.debug("in enforce(), action='%s', policyvalues='%s'", action, 
context.to_policy_values())
        return super(Enforcer, self).enforce(action, target,
                                             context.to_policy_values(),
                                             do_raise=True,
                                             exc=exception.Forbidden,
                                             action=action)

below is the output attempting to set an image that I own while being an admin 
to public via `openstack image set –public cirros`

2018-10-25 18:29:16.575 17561 DEBUG glance.api.policy 
[req-e343bb10-8ec8-40df-8c0c-47d1b217ca0d - - - - -] in enforce(), 
action='publicize_image', policyvalues='{'service_roles': [], 'user_id': None, 
'roles': [], 'user_domain_id': None, 'service_project_id': None, 
'service_user_id': None, 'service_user_domain_id': None, 
'service_project_domain_id': None, 'is_admin_project': True, 'user': None, 
'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce 
/usr/lib/python2.7/site-packages/glance/api/policy.py:64

And here is what shows up when I `openstack image list`  as our test user 
(`jonathan`) that is NOT an admin

2018-10-25 18:32:24.841 17564 DEBUG glance.api.policy 
[req-22abdcf2-14cd-4680-8deb-e48902a7ddef - - - - -] in enforce(), 
action='get_images', policyvalues='{'service_roles': [], 'user_id': None, 
'roles': [], 'user_domain_id': None, 'service_project_id': None, 
'service_user_id': None, 'service_user_domain_id': None, 
'service_project_domain_id': None, 'is_admin_project': True, 'user': None, 
'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce 
/usr/lib/python2.7/site-packages/glance/api/policy.py:64


The takeaway that I have is that in the case of get_images, is_admin_project is 
True, which is WRONG for that test but since it’s a read-only operation it’s 
content to shortcircuit and return all those images.

In the case of publicize_image, the is_admin_project being True isn’t enough, 
and when it checks user (which is None) it says NOPE.


So somehow for some reason glance APIs context is super duper wrong.


Mike Moore, M.S.S.E.

Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov<mailto:michael.d.mo...@nasa.gov>

Hydrogen fusion brightens my day.

 <snip chain to let message go to group>

_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
  • Re: [Openstack-op... iain MacDonnell
    • Re: [Opensta... Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
      • Re: [Ope... Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
        • Re: ... Chris Apsey
        • Re: ... iain MacDonnell
          • ... Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
            • ... iain MacDonnell
              • ... Chris Apsey
              • ... Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
              • ... Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
  • Re: [Openstack-op... Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]

Reply via email to