Re: [SOLVED] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [SOLVED] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]

TL;DR: glance config doesn’t honor documented default setting for paste_deploy.flavor. Solution is to add setting to glance-api.conf. Patch to be submitted.

 

After the deep debugging yesterday Jonathan did a deep compare of our Mitaka configuration compared to Queens.

 

He noted that this section was missing in our Queens glance-api.conf (our config files are sparse and only specify values if the defaults are not correct for us)

 

 

[paste_deploy]

flavor = keystone

 

Adding that allowed Jonathan to set an image to public (publicize_image). It also made openstack image list (get_images) behave as expected

 

[root@vm013 common]# . /root/keystonerc_jonathan

[root@vm013 common]# openstack image list

+--------------------------------------+--------+--------+

| ID                                   | Name   | Status |

+--------------------------------------+--------+--------+

| 34a915b8-cca6-45c3-9348-5e15dace444f | cirros | active |

+--------------------------------------+--------+--------+

 

 

The Glance Queens configuration guide for glance_api states that the default paste_deploy.flavor setting is ‘keystone’

 

Refer to https://docs.openstack.org/glance/queens/configuration/glance_api.html

 

It’s readily apparent that without the setting in glance-api.conf that it does not behave properly which suggests it does not actually set keystone as the default

 

Glance common/config.py does not specify a default value for this setting, but it does specify a sample_default.

 

https://github.com/openstack/glance/blob/master/glance/common/config.py

 

lines 31-52

 

paste_deploy_opts = [

    cfg.StrOpt('flavor',

               sample_default='keystone',

               help=_("""

Deployment flavor to use in the server application pipeline.

Provide a string value representing the appropriate deployment

flavor used in the server application pipleline. This is typically

the partial name of a pipeline in the paste configuration file with

the service name removed.

For example, if your paste section name in the paste configuration

file is [pipeline:glance-api-keystone], set ``flavor`` to

``keystone``.

Possible values:

    * String value representing a partial pipeline name.

Related Options:

    * config_file

""")),

 

Modifying the code like so:

 

               sample_default='keystone',

               default=’keystone’,

               help=_("""

 

 

Makes it honor the documented default value.

 

I’ve submitted this as a patch on the bug report and a pull request on github.

 

https://github.com/openstack/glance/pull/9

 

 

 

Mike Moore, M.S.S.E.

 

Systems Engineer, Goddard Private Cloud

[hidden email]

 

Hydrogen fusion brightens my day.

 

 

From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]>
Date: Thursday, October 25, 2018 at 6:48 PM
To: Jonathan Mills <[hidden email]>, "[hidden email]" <[hidden email]>
Cc: "openstack-oper." <[hidden email]>, "Thompson, John H. (GSFC-606.2)[InuTeq, LLC]" <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

 

 

I have dug deep into the code for glance, shoving debug outputs to see what I can find in our queens environment.

 

Here is my debug code (I have a lot more but this is the salient part)

 

        LOG.debug("in enforce(), action='%s', policyvalues='%s'", action, context.to_policy_values())

        return super(Enforcer, self).enforce(action, target,

                                             context.to_policy_values(),

                                             do_raise=True,

                                             exc=exception.Forbidden,

                                             action=action)

 

below is the output attempting to set an image that I own while being an admin to public via `openstack image set –public cirros`

 

2018-10-25 18:29:16.575 17561 DEBUG glance.api.policy [req-e343bb10-8ec8-40df-8c0c-47d1b217ca0d - - - - -] in enforce(), action='publicize_image', policyvalues='{'service_roles': [], 'user_id': None, 'roles': [], 'user_domain_id': None, 'service_project_id': None, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_domain_id': None, 'is_admin_project': True, 'user': None, 'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce /usr/lib/python2.7/site-packages/glance/api/policy.py:64

 

And here is what shows up when I `openstack image list`  as our test user (`jonathan`) that is NOT an admin

 

2018-10-25 18:32:24.841 17564 DEBUG glance.api.policy [req-22abdcf2-14cd-4680-8deb-e48902a7ddef - - - - -] in enforce(), action='get_images', policyvalues='{'service_roles': [], 'user_id': None, 'roles': [], 'user_domain_id': None, 'service_project_id': None, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_domain_id': None, 'is_admin_project': True, 'user': None, 'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce /usr/lib/python2.7/site-packages/glance/api/policy.py:64

 

 

The takeaway that I have is that in the case of get_images, is_admin_project is True, which is WRONG for that test but since it’s a read-only operation it’s content to shortcircuit and return all those images.

 

In the case of publicize_image, the is_admin_project being True isn’t enough, and when it checks user (which is None) it says NOPE.

 

 

So somehow for some reason glance APIs context is super duper wrong.

 

 

Mike Moore, M.S.S.E.

 

Systems Engineer, Goddard Private Cloud

[hidden email]

 

Hydrogen fusion brightens my day.

 

 <snip chain to let message go to group>


_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: [SOLVED] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

iain MacDonnell-2

Hi Mike,

Interesting - nice detective work! FWIW, I do have that explicitly set
in my config, based on the recommendation at:

https://docs.openstack.org/glance/latest/install/install-rdo.html#install-and-configure-components

Your github PR will no go anywhere - all changes must go through the
Gerrit system - start at:

https://docs.openstack.org/infra/manual/developers.html

If you don't want to go through all of that, I may be able to submit a
proposed change for you ....

     ~iain


On 10/26/2018 11:38 AM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:

> TL;DR: glance config doesn’t honor documented default setting for
> paste_deploy.flavor. Solution is to add setting to glance-api.conf.
> Patch to be submitted.
>
> After the deep debugging yesterday Jonathan did a deep compare of our
> Mitaka configuration compared to Queens.
>
> He noted that this section was missing in our Queens glance-api.conf
> (our config files are sparse and only specify values if the defaults are
> not correct for us)
>
> [paste_deploy]
>
> flavor = keystone
>
> Adding that allowed Jonathan to set an image to public
> (publicize_image). It also made openstack image list (get_images) behave
> as expected
>
> [root@vm013 common]# . /root/keystonerc_jonathan
>
> [root@vm013 common]# openstack image list
>
> +--------------------------------------+--------+--------+
>
> | ID                                   | Name   | Status |
>
> +--------------------------------------+--------+--------+
>
> | 34a915b8-cca6-45c3-9348-5e15dace444f | cirros | active |
>
> +--------------------------------------+--------+--------+
>
> The Glance Queens configuration guide for glance_api states that the
> default paste_deploy.flavor setting is ‘keystone’
>
> Refer to
> https://docs.openstack.org/glance/queens/configuration/glance_api.html 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.openstack.org_glance_queens_configuration_glance-5Fapi.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=wk-76cKMw6eaKFyi1n6D9UwL3oEZBtcn3tg7Fpy5vAk&s=ZQlSUAFNzShvhMFnSx9npThK3V52BKj8tsUr5dgyxhY&e=>
>
> It’s readily apparent that without the setting in glance-api.conf that
> it does not behave properly which suggests it does not actually set
> keystone as the default
>
> Glance common/config.py does not specify a default value for this
> setting, but it does specify a sample_default.
>
> https://github.com/openstack/glance/blob/master/glance/common/config.py 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_glance_blob_master_glance_common_config.py&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=wk-76cKMw6eaKFyi1n6D9UwL3oEZBtcn3tg7Fpy5vAk&s=XTT3uW9zjUd1cY5KQTBboFah5OhnBDg5GbTlZzYwgFg&e=>
>
> lines 31-52
>
> paste_deploy_opts =[
>
>
>
>      cfg.StrOpt('flavor',
>
>
>
> sample_default='keystone',
>
>
>
> help=_("""
>
>
>
> Deployment flavor to use in the server application pipeline.
>
>
>
>
> Provide a string value representing the appropriate deployment
>
>
>
> flavor used in the server application pipleline. This is typically
>
>
>
> the partial name of a pipeline in the paste configuration file with
>
>
>
> the service name removed.
>
>
>
>
> For example, if your paste section name in the paste configuration
>
>
>
> file is [pipeline:glance-api-keystone], set ``flavor`` to
>
>
>
> ``keystone``.
>
>
>
>
> Possible values:
>
>
>
>      * String value representing a partial pipeline name.
>
>
>
>
> Related Options:
>
>
>
>      * config_file
>
>
>
>
> """)),
>
> Modifying the code like so:
>
> sample_default='keystone',
>
>                 default=’keystone’,
>
> help=_("""
>
> Makes it honor the documented default value.
>
> I’ve submitted this as a patch on the bug report and a pull request on
> github.
>
> https://github.com/openstack/glance/pull/9 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_glance_pull_9&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=wk-76cKMw6eaKFyi1n6D9UwL3oEZBtcn3tg7Fpy5vAk&s=ZzXWO75ug-DUWUzE_DbuAtQa-uJdWIGCVNI2WRTQNow&e=>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
>
> [hidden email] <mailto:[hidden email]>
>
> **
>
> Hydrogen fusion brightens my day.
>
> *From: *"Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <[hidden email]>
> *Date: *Thursday, October 25, 2018 at 6:48 PM
> *To: *Jonathan Mills <[hidden email]>, "[hidden email]"
> <[hidden email]>
> *Cc: *"openstack-oper." <[hidden email]>,
> "Thompson, John H. (GSFC-606.2)[InuTeq, LLC]" <[hidden email]>
> *Subject: *Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
>
> I have dug deep into the code for glance, shoving debug outputs to see
> what I can find in our queens environment.
>
> Here is my debug code (I have a lot more but this is the salient part)
>
>          LOG.debug("in enforce(), action='%s', policyvalues='%s'",
> action, context.to_policy_values())
>
>          return super(Enforcer, self).enforce(action, target,
>
>                                               context.to_policy_values(),
>
>                                               do_raise=True,
>
>                                               exc=exception.Forbidden,
>
>                                               action=action)
>
> below is the output attempting to set an image that I own while being an
> admin to public via `openstack image set –public cirros`
>
> 2018-10-25 18:29:16.575 17561 DEBUG glance.api.policy
> [req-e343bb10-8ec8-40df-8c0c-47d1b217ca0d - - - - -] in enforce(),
> action='publicize_image', policyvalues='{'service_roles': [], 'user_id':
> None, 'roles': [], 'user_domain_id': None, 'service_project_id': None,
> 'service_user_id': None, 'service_user_domain_id': None,
> 'service_project_domain_id': None, 'is_admin_project': True, 'user':
> None, 'project_id': None, 'tenant': None, 'project_domain_id': None}'
> enforce /usr/lib/python2.7/site-packages/glance/api/policy.py:64
>
> And here is what shows up when I `openstack image list`  as our test
> user (`jonathan`) that is NOT an admin
>
> 2018-10-25 18:32:24.841 17564 DEBUG glance.api.policy
> [req-22abdcf2-14cd-4680-8deb-e48902a7ddef - - - - -] in enforce(),
> action='get_images', policyvalues='{'service_roles': [], 'user_id':
> None, 'roles': [], 'user_domain_id': None, 'service_project_id': None,
> 'service_user_id': None, 'service_user_domain_id': None,
> 'service_project_domain_id': None, 'is_admin_project': True, 'user':
> None, 'project_id': None, 'tenant': None, 'project_domain_id': None}'
> enforce /usr/lib/python2.7/site-packages/glance/api/policy.py:64
>
> The takeaway that I have is that in the case of get_images,
> is_admin_project is True, which is WRONG for that test but since it’s a
> read-only operation it’s content to shortcircuit and return all those
> images.
>
> In the case of publicize_image, the is_admin_project being True isn’t
> enough, and when it checks user (which is None) it says NOPE.
>
> So somehow for some reason glance APIs context is super duper wrong.
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
>
> [hidden email] <mailto:[hidden email]>
>
> **
>
> Hydrogen fusion brightens my day.
>
>   <snip chain to let message go to group>
>

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators