Missing x-tenant-id header to registry will return list of all images while using v2 api with registry
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
$ ./run_tests.sh --subunit glance.
Running `tools/with_venv.sh python -m glance.
glance.
test_
Slowest 1 tests took 12.91 secs:
glance.
test_
=======
FAIL: glance.
-------
Traceback (most recent call last):
_StringException: Traceback (most recent call last):
File "/home/
self.
File "/home/
self.
File "/home/
raise mismatch_error
MismatchError: 0 != 1
Ran 2 tests in 26.407s
FAILED (failures=1)
482 # TENANT2 should not see the image in their list
483 path = self._url(
484 headers = self._headers(
485 response = requests.get(path, headers=headers)
486 self.assertEqua
487 images = jsonutils.
488 self.assertEqual(0, len(images))
The reason only one image seen by wrong tenant is purely because this test has populated glance only with one image. Missing x-tenant-id header in the GET request made to registry server listing images will return all images.
summary: |
- TENANT2 can see the image belonging to TENANT1 while using v2 api with + TENANT2 can list the image belonging to TENANT1 while using v2 api with registry |
Changed in ossa: | |
status: | New → Incomplete |
Changed in glance: | |
status: | New → Invalid |
summary: |
- TENANT2 can list the image belonging to TENANT1 while using v2 api with - registry + Missing x-tenant-id header to registry will return all images while + using v2 api with registry |
description: | updated |
summary: |
- Missing x-tenant-id header to registry will return all images while - using v2 api with registry + Missing x-tenant-id header to registry will return list of all images + while using v2 api with registry |
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
This test has been ran with change: https:/ /review. openstack. org/#/c/ 87726/