[Yahoo-eng-team] [Bug 1235378] Re: 'image_download' role in v2 causes traceback

[Adam Gandelman]

** Changed in: glance/grizzly
 Assignee: (unassigned) = Stuart McLaren (stuart-mclaren)

** Changed in: glance/grizzly
   Status: Fix Committed = Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1235378

Title:
  'image_download' role in v2 causes traceback

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance folsom series:
  Fix Committed
Status in Glance grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  In Progress

Bug description:
  If you enable the 'image_download' policy as follows:


   { 
  context_is_admin:  role:admin,
  download_image:  role:admin, 
  default: ,
  manage_image_cache: role:admin
   }

  And attempt to download using the v2 api you get 200 rather than 403 (but, 
correctly, no data) 
  and a stack trace on the server:

  6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded 
policy rules: {u'context_is_admin': 'role:admin', u'download_image': 
'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
  6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing 
image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache
  6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded 
policy rules: {u'context_is_admin': 'role:admin', u'download_image': 
'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
  6234 DEBUG glance.image_cache.drivers.sqlite 
[acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 
f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not 
authorized to complete this action.), rolling back by moving 
'/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778' 
to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778'
  6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not 
authorized to complete this action.
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent 
call last):
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/image_cache/__init__.py, line 238, in cache_tee_iter
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in 
image_iter:
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/notifier/__init__.py, line 182, in get_data
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in 
self.image.get_data():
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/api/policy.py, line 225, in get_data
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
self.policy.enforce(self.context, 'download_image', {})
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/api/policy.py, line 135, in enforce
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
exception.Forbidden, action=action)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/api/policy.py, line 123, in _check
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache return 
policy.check(rule, target, credentials, *args, **kwargs)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/openstack/common/policy.py, line 183, in check
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache raise exc(*args, 
**kwargs)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not 
authorized to complete this action.
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
  6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Traceback 
(most recent call last):
File /usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py, line 402, 
in handle_one_response
  for data in result:
File /opt/stack/glance/glance/image_cache/__init__.py, line 238, in 
cache_tee_iter
  for chunk in image_iter:
File /opt/stack/glance/glance/notifier/__init__.py, line 182, in get_data
  for chunk in self.image.get_data():
File /opt/stack/glance/glance/api/policy.py, line 225, in get_data
  self.policy.enforce(self.context, 'download_image', {})
File /opt/stack/glance/glance/api/policy.py, line 135, in enforce
  exception.Forbidden, action=action)
File /opt/stack/glance/glance/api/policy.py, line 123, in _check
  return policy.check(rule, target, credentials, *args, **kwargs)
File /opt/stack/glance/glance/openstack/common/policy.py, line 183, 

[Yahoo-eng-team] [Bug 1235378] Re: 'image_download' role in v2 causes traceback

[OpenStack Infra]

Reviewed:  https://review.openstack.org/50865
Committed: 
http://github.com/openstack/glance/commit/02e97689e60b643d446720659c9688702aea197b
Submitter: Jenkins
Branch:milestone-proposed

commit 02e97689e60b643d446720659c9688702aea197b
Author: Zhi Yan Liu zhiy...@cn.ibm.com
Date:   Mon Oct 7 11:44:33 2013 +0800

Adding 'download_image' policy enforcement to image cache middleware

Currently image cache middleware not care 'download_image' policy, the
enforcement caused user receive empty content but with HTTP 200 code
rather than 403 when client attempt to download image using v2 API. And
the real Forbidden exception be logged in glance-api log which image
application action raised. The end user is confused by this behavior.

Fixes bug: 1235378

Related-Id: Ibaa7ccf8613ee3cce4cb6a72e3206a2c9412
Change-Id: I2822ee553d605b7d49576c886f42fa403cdbccf2
Signed-off-by: Zhi Yan Liu zhiy...@cn.ibm.com
(cherry picked from commit a50bfbf490fd354d08abd25b67aaab83b2a17a85)


** Changed in: glance
   Status: Fix Committed = Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1235378

Title:
  'image_download' role in v2 causes traceback

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance grizzly series:
  In Progress
Status in OpenStack Security Advisories:
  Confirmed

Bug description:
  If you enable the 'image_download' policy as follows:


   { 
  context_is_admin:  role:admin,
  download_image:  role:admin, 
  default: ,
  manage_image_cache: role:admin
   }

  And attempt to download using the v2 api you get 200 rather than 403 (but, 
correctly, no data) 
  and a stack trace on the server:

  6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded 
policy rules: {u'context_is_admin': 'role:admin', u'download_image': 
'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
  6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing 
image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache
  6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded 
policy rules: {u'context_is_admin': 'role:admin', u'download_image': 
'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
  6234 DEBUG glance.image_cache.drivers.sqlite 
[acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 
f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not 
authorized to complete this action.), rolling back by moving 
'/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778' 
to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778'
  6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not 
authorized to complete this action.
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent 
call last):
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/image_cache/__init__.py, line 238, in cache_tee_iter
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in 
image_iter:
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/notifier/__init__.py, line 182, in get_data
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in 
self.image.get_data():
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/api/policy.py, line 225, in get_data
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
self.policy.enforce(self.context, 'download_image', {})
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/api/policy.py, line 135, in enforce
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
exception.Forbidden, action=action)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/api/policy.py, line 123, in _check
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache return 
policy.check(rule, target, credentials, *args, **kwargs)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File 
/opt/stack/glance/glance/openstack/common/policy.py, line 183, in check
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache raise exc(*args, 
**kwargs)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not 
authorized to complete this action.
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
  6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 
a9befd28bf704839b62aecbf6afacd37