Bug 2138238
| Summary: | Deploy an internal glance-api service to address OSSN-0090 | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Alan Bishop <abishop> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Alan Bishop <abishop> |
| Status: | CLOSED ERRATA | QA Contact: | Yosi Ben Shimon <ybenshim> |
| Severity: | medium | Docs Contact: | Jenny-Anne Lynch <jelynch> |
| Priority: | high | ||
| Version: | 17.1 (Wallaby) | CC: | akekane, brian.rosmaita, cyril, eharney, gcharot, jamsmith, jelynch, johfulto, mariel, mburns, mkrcmari, msava, pdeore, pgrist, udesale, yrabl |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | 17.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-14.3.1-1.20230125220910.d766979.el9ost | Doc Type: | Enhancement |
| Doc Text: |
With this update, you deploy two separate instances of the Image service (glance) API. The instance that is accessible to OpenStack tenants is configured to hide image location details, such as the direct URL of an image or whether the image is available in multiple locations. The second instance is accessible to OpenStack administrators and OpenStack services, such as the Block Storage service (cinder) and the Compute service (nova). This instance is configured to provide image location details. This enhancement addresses the recommendations of link:https://wiki.openstack.org/wiki/OSSN/OSSN-0090#Recommended_Actions[OSSN-0090] and link:https://access.redhat.com/security/cve/CVE-2022-4134[CVE-2022-4134]. With this update, a malicious user cannot leverage the location details of an image to upload an altered image.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-16 01:12:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2147467 | ||
|
Description
Alan Bishop
2022-10-27 17:32:55 UTC
@James: This is an accurate summary. I agree with Greg, if our architecture is described somewhere, it should be updated. Tested on: Red Hat OpenStack Platform release 17.1.0 Beta (Wallaby) openstack-tripleo-heat-templates-14.3.1-1.20230519151004.f602c2b.el9ost.noarch Both flags "show_image_direct_url" and "show_multiple_locations" are set to _False_ on glance-api.conf The same flags are set to _True_ on internal glance-api.conf Also, the "GlanceInternal" entry is found under "EndpointMapOverride" in /home/stack/overcloud-deploy/overcloud/overcloud-export.yaml Used the same "curl" command from comment #1: Public endpoint returned: HTTP/1.1 200 OK content-length: 861 content-type: application/json x-openstack-request-id: req-8ab8869b-6e59-44b5-a65d-fa237df12870 date: Thu, 08 Jun 2023 17:54:55 GMT {"hw_rng_model": "virtio", "name": "cirros-0.5.2-x86_64-disk.img", "disk_format": "qcow2", "container_format": "bare", "visibility": "public", "size": 16300544, "virtual_size": 117440512, "status": "active", "checksum": "b874c39491a2377b8490f5f1e89761a4", "protected": false, "min_ram": 0, "min_disk": 0, "owner": "2434d4521f90471ea24aed710f72d455", "os_hidden": false, "os_hash_algo": "sha512", "os_hash_value": "6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe36225e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869", "id": "925dceb9-44b9-4901-8f78-a9d11431fa79", "created_at": "2023-05-29T07:22:40Z", "updated_at": "2023-05-29T07:22:42Z", "tags": [], "self": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79", "file": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79/file", "schema": "/v2/schemas/image", "stores": "default_backend"} *** No "locations" Admin/internal endpoint returned: HTTP/1.1 200 OK content-length: 1131 content-type: application/json x-openstack-request-id: req-a35406d3-bc87-40e1-a2f8-fad5690afdad date: Thu, 08 Jun 2023 17:57:51 GMT {"hw_rng_model": "virtio", "name": "cirros-0.5.2-x86_64-disk.img", "disk_format": "qcow2", "container_format": "bare", "visibility": "public", "size": 16300544, "virtual_size": 117440512, "status": "active", "checksum": "b874c39491a2377b8490f5f1e89761a4", "protected": false, "min_ram": 0, "min_disk": 0, "owner": "2434d4521f90471ea24aed710f72d455", "os_hidden": false, "os_hash_algo": "sha512", "os_hash_value": "6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe36225e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869", "id": "925dceb9-44b9-4901-8f78-a9d11431fa79", "created_at": "2023-05-29T07:22:40Z", "updated_at": "2023-05-29T07:22:42Z", "locations": [{"url": "rbd://4e5cc9f9-7b68-53f7-8a61-f7c92a81a960/images/925dceb9-44b9-4901-8f78-a9d11431fa79/snap", "metadata": {"store": "default_backend"}}], "direct_url": "rbd://4e5cc9f9-7b68-53f7-8a61-f7c92a81a960/images/925dceb9-44b9-4901-8f78-a9d11431fa79/snap", "tags": [], "self": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79", "file": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79/file", "schema": "/v2/schemas/image", "stores": "default_backend"} *** "locations" exists including "direct_url" Moving to VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2023:4577 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |