OSSN/OSSN-0025

Summary
Glance is able to use Swift as a back end for storing virtual machine images. When Glance is configured this way (in multi-tenant mode only), it is possible for unauthenticated users to access "public" virtual machine images directly from Swift, even though Glance restricts access to those images to authenticated users.

Affected Services / Software
Glance, Swift, Havana, Icehouse

Discussion
The 'delay_auth_decision' Swift variable modifies the ACL's to either require authentication via Keystone or allow unauthenticated access. When 'delay_auth_decision' is set to '1' the Swift ACL uses a wildcard (*) to accept all incoming responses.

When Glance is configured for multi-tenant mode, this will allow all tenants as well as unauthenticated users to have access to the Swift 'public' images.

This can happen when Swift and Glance are configured in the following fashion:

Swift proxy-server.conf snippet: delay_auth_decision = 1

Glance glance-api.conf snippet: default_store = swift swift_store_multi_tenant = True swift_store_create_container_on_put = True

One way to discover the URL is to take a snapshot of a public image. The URL for the snapshot combined with the owner ID of the public image will allow for the Swift URL of the public image to be inferred. This URL can then be utilized anonymously to download the image.

Recommended Actions
If your Swift and Glance services are configured in such a way that they are vulnerable, it is recommended that Swift image requests are audited to determine if an unauthorized image request was made. By default when images are accessed a message is logged to the Swift log file.

Setting the Swift 'delay_auth_decision' value to '0' (False) will require Keystone authentication to access the Swift containers, and is only recommended for environments using Keystone for authentication.

Modifying the Glance configuration to not use Swift in multi-tenant mode will mitigate the issue, but may introduce other issues depending on what configuration is used.

Implementing an alternative back end (such as Ceph) will also remove the issue, however will require additional knowledge on how to securely install and configure the new object storage service.

The Swift and Glance configuration items are specific to a given environment, so test configurations before deploying them in a production environment.

Contacts / References

 * Author: Nathaniel Dillon, HP
 * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0025
 * Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1354512
 * OpenStack Security ML : openstack-security@lists.openstack.org
 * OpenStack Security Group : https://launchpad.net/~openstack-ossg