*** This bug is a security vulnerability *** Private security bug reported:
╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source openrc demo demo ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2021-02-25T14:11:38+0000 | | id | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y | | project_id | ed4fade2e2cd4be0932ef30357f6d7a1 | | user_id | e83b2f50463c4959bcc00a96b52b2f86 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-namespace-show foo +----------------------------+----------------------------------+ | Property | Value | +----------------------------+----------------------------------+ | created_at | 2021-02-25T04:54:10Z | | namespace | foo | | owner | ed4fade2e2cd4be0932ef30357f6d7a1 | | protected | False | | resource_type_associations | ["bar"] | | schema | /v2/schemas/metadefs/namespace | | updated_at | 2021-02-25T04:54:10Z | | visibility | private | +----------------------------+----------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source alicerc ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-resource-type-associate --name test foo HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible. This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke. ** Affects: glance Importance: Undecided Status: New ** Information type changed from Public to Private ** Information type changed from Private to Private Security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1916926 Title: Glance leaks namespace existence to unauthorized users Status in Glance: New Bug description: ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source openrc demo demo ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2021-02-25T14:11:38+0000 | | id | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y | | project_id | ed4fade2e2cd4be0932ef30357f6d7a1 | | user_id | e83b2f50463c4959bcc00a96b52b2f86 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-namespace-show foo +----------------------------+----------------------------------+ | Property | Value | +----------------------------+----------------------------------+ | created_at | 2021-02-25T04:54:10Z | | namespace | foo | | owner | ed4fade2e2cd4be0932ef30357f6d7a1 | | protected | False | | resource_type_associations | ["bar"] | | schema | /v2/schemas/metadefs/namespace | | updated_at | 2021-02-25T04:54:10Z | | visibility | private | +----------------------------+----------------------------------+ ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ source alicerc ╭─ubuntu@glance-devstack ~/devstack ‹master*› ╰─➤ $ glance md-resource-type-associate --name test foo HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible. This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1916926/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp