2138238 – Deploy an internal glance-api service to address OSSN-0090

Bug 2138238 - Deploy an internal glance-api service to address OSSN-0090

Summary: Deploy an internal glance-api service to address OSSN-0090

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	beta
Target Release:	17.1
Assignee:	Alan Bishop
QA Contact:	Yosi Ben Shimon
Docs Contact:	Jenny-Anne Lynch
URL:
Whiteboard:
Depends On:
Blocks:	2147467
TreeView+	depends on / blocked

Reported:	2022-10-27 17:32 UTC by Alan Bishop
Modified:	2024-01-01 04:25 UTC (History)
CC List:	16 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-1.20230125220910.d766979.el9ost
Doc Type:	Enhancement
Doc Text:	With this update, you deploy two separate instances of the Image service (glance) API. The instance that is accessible to OpenStack tenants is configured to hide image location details, such as the direct URL of an image or whether the image is available in multiple locations. The second instance is accessible to OpenStack administrators and OpenStack services, such as the Block Storage service (cinder) and the Compute service (nova). This instance is configured to provide image location details. This enhancement addresses the recommendations of link:https://wiki.openstack.org/wiki/OSSN/OSSN-0090#Recommended_Actions[OSSN-0090] and link:https://access.redhat.com/security/cve/CVE-2022-4134[CVE-2022-4134]. With this update, a malicious user cannot leverage the location details of an image to upload an altered image.
Clone Of:
Environment:
Last Closed:	2023-08-16 01:12:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	863142	None	MERGED	Deploy separate glance-api services for OSSN-0090	2023-02-15 21:35:48 UTC
Red Hat Issue Tracker	OSP-19759	None	None	None	2022-10-27 17:45:09 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:12:52 UTC

Description Alan Bishop 2022-10-27 17:32:55 UTC

RHOSP should adopt the recommendation described in OSSN-0090 [1], and deploy two separate instances of the glance-api service:

1. A "user facing" glance-api service, accessible via the Public and Admin keystone endpoints
2. An "internal facing only" service, accessible via the Internal keystone endpoint

[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090

The user facing service should be configured to not expose image locations, namely by setting the following options in glance-api.conf:

[DEFAULT]
show_image_direct_url = False
show_multiple_locations = False

The internal service, operating on a different port (e.g. 9293), should be configured identically to the public facing service, except for the following:

[DEFAULT]
show_image_direct_url = True
show_multiple_locations = True

OpenStack services that use glance (cinder and nova) should be configured to access it via the new internal service. That way both cinder and nova will have access to the image location data.

Comment 9 Cyril Roelandt 2023-02-03 15:39:26 UTC

@James: This is an accurate summary. I agree with Greg, if our architecture is described somewhere, it should be updated.

Comment 18 Yosi Ben Shimon 2023-06-08 18:16:30 UTC

Tested on:
Red Hat OpenStack Platform release 17.1.0 Beta (Wallaby)
openstack-tripleo-heat-templates-14.3.1-1.20230519151004.f602c2b.el9ost.noarch

Both flags "show_image_direct_url" and "show_multiple_locations" are set to _False_ on glance-api.conf
The same flags are set to _True_ on internal glance-api.conf
Also, the "GlanceInternal" entry is found under "EndpointMapOverride" in /home/stack/overcloud-deploy/overcloud/overcloud-export.yaml

Used the same "curl" command from comment #1:
Public endpoint returned:

HTTP/1.1 200 OK
content-length: 861
content-type: application/json
x-openstack-request-id: req-8ab8869b-6e59-44b5-a65d-fa237df12870
date: Thu, 08 Jun 2023 17:54:55 GMT

{"hw_rng_model": "virtio", "name": "cirros-0.5.2-x86_64-disk.img", "disk_format": "qcow2", "container_format": "bare", "visibility": "public", "size": 16300544, "virtual_size": 117440512, "status": "active", "checksum": "b874c39491a2377b8490f5f1e89761a4", "protected": false, "min_ram": 0, "min_disk": 0, "owner": "2434d4521f90471ea24aed710f72d455", "os_hidden": false, "os_hash_algo": "sha512", "os_hash_value": "6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe36225e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869", "id": "925dceb9-44b9-4901-8f78-a9d11431fa79", "created_at": "2023-05-29T07:22:40Z", "updated_at": "2023-05-29T07:22:42Z", "tags": [], "self": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79", "file": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79/file", "schema": "/v2/schemas/image", "stores": "default_backend"}

*** No "locations"

Admin/internal endpoint returned:

HTTP/1.1 200 OK
content-length: 1131
content-type: application/json
x-openstack-request-id: req-a35406d3-bc87-40e1-a2f8-fad5690afdad
date: Thu, 08 Jun 2023 17:57:51 GMT

{"hw_rng_model": "virtio", "name": "cirros-0.5.2-x86_64-disk.img", "disk_format": "qcow2", "container_format": "bare", "visibility": "public", "size": 16300544, "virtual_size": 117440512, "status": "active", "checksum": "b874c39491a2377b8490f5f1e89761a4", "protected": false, "min_ram": 0, "min_disk": 0, "owner": "2434d4521f90471ea24aed710f72d455", "os_hidden": false, "os_hash_algo": "sha512", "os_hash_value": "6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe36225e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869", "id": "925dceb9-44b9-4901-8f78-a9d11431fa79", "created_at": "2023-05-29T07:22:40Z", "updated_at": "2023-05-29T07:22:42Z", "locations": [{"url": "rbd://4e5cc9f9-7b68-53f7-8a61-f7c92a81a960/images/925dceb9-44b9-4901-8f78-a9d11431fa79/snap", "metadata": {"store": "default_backend"}}], "direct_url": "rbd://4e5cc9f9-7b68-53f7-8a61-f7c92a81a960/images/925dceb9-44b9-4901-8f78-a9d11431fa79/snap", "tags": [], "self": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79", "file": "/v2/images/925dceb9-44b9-4901-8f78-a9d11431fa79/file", "schema": "/v2/schemas/image", "stores": "default_backend"}

*** "locations" exists including "direct_url"


Moving to VERIFIED

Comment 28 errata-xmlrpc 2023-08-16 01:12:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Comment 29 Red Hat Bugzilla 2024-01-01 04:25:07 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.