Description Agostino Sarubbo 2013-09-21 07:28:31 UTC

From ${URL} :

Description of problem:

when I try to create an image with tenant name and not tenant ID, the image is not created and no 
errors are issued. 
you simply cannot find the image. 

Version-Release number of selected component (if applicable):

openstack-glance-2013.1.3-1.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. install AIO with local tgt storage (using packstack)
2. create a tenant and a user 
3. create an image for the tenant using the tenant name
4. run glance image-list while logging in with user 
5. run the same create command using tenant ID
6. run glance image-list while logging in with the user

Actual results:

image is no created with tenant name. 
no errors or indicators that the image was not created. 

Expected results:

image should be created with tenant name
if we decided not to allow create of image with tenant name we should block the command from 
running with missing param error 

========

Upon further investigation Flavio Percoco of Red Hat reports:

Ayal suggested this could also be a security issue. I went ahead and tested current behavior and 
indeed, this behavior could be used to inject images to other users.

Scenario:
- Create an image using user1
- Pick tenant's id of user2 and add it as a member of the image user1 just created
- Use user2 to list images. This will list the image user1 created.

I think this is an issue because it allows user from other tenants to sneak images with a backdoor 
to other tenants.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.