[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
** No longer affects: glance (Ubuntu Trusty) ** Tags removed: sts-sru-needed ** Tags added: sts-sru-done -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive kilo series: Fix Released Status in Glance: Fix Released Status in glance package in Ubuntu: Fix Released Status in glance source package in Xenial: Fix Released Bug description: [Impact] If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. [Test Case] - Set show_multiple_locations = true on glance-api.conf - Set get_image_location policy to role:admin in /etc/glance/policy.json - Run glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 , This should work. [Regression Potential] * None Identified [Other Info] * Already backported to mitaka/newton. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
This bug was fixed in the package glance - 1:2015.1.4-0ubuntu2 --- glance (1:2015.1.4-0ubuntu2) trusty-kilo; urgency=medium . * d/p/allow-image-list-if-access-to-attrs-is-forbidden.patch: Allow to list images in v2 if get_image_location policy is set to role:admin and user is not admin. (LP: #1502136). ** Changed in: cloud-archive/kilo Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive kilo series: Fix Released Status in Glance: Fix Released Status in glance package in Ubuntu: Fix Released Status in glance source package in Trusty: Triaged Status in glance source package in Xenial: Fix Released Bug description: [Impact] If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. [Test Case] - Set show_multiple_locations = true on glance-api.conf - Set get_image_location policy to role:admin in /etc/glance/policy.json - Run glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 , This should work. [Regression Potential] * None Identified [Other Info] * Already backported to mitaka/newton. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to :
[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
** Also affects: cloud-archive/kilo Importance: Undecided Status: New ** Changed in: cloud-archive Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive kilo series: Triaged Status in Glance: Fix Released Status in glance package in Ubuntu: Fix Released Status in glance source package in Trusty: Triaged Status in glance source package in Xenial: Fix Released Bug description: If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
** Also affects: cloud-archive Importance: Undecided Status: New ** Changed in: glance (Ubuntu Trusty) Status: In Progress => New ** Changed in: glance (Ubuntu Trusty) Assignee: Jorge Niedbalski (niedbalski) => (unassigned) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Ubuntu Cloud Archive: New Status in Glance: Fix Released Status in glance package in Ubuntu: Fix Released Status in glance source package in Trusty: New Status in glance source package in Xenial: Fix Released Bug description: If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
** Changed in: glance (Ubuntu Xenial) Status: New => Fix Released ** Changed in: glance (Ubuntu Trusty) Status: New => In Progress ** Changed in: glance (Ubuntu Trusty) Importance: Undecided => High ** Changed in: glance (Ubuntu Trusty) Assignee: (unassigned) => Jorge Niedbalski (niedbalski) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Glance: Fix Released Status in glance package in Ubuntu: Fix Released Status in glance source package in Trusty: In Progress Status in glance source package in Xenial: Fix Released Bug description: If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
** Also affects: glance (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: glance (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Glance: Fix Released Status in glance package in Ubuntu: Fix Released Status in glance source package in Trusty: In Progress Status in glance source package in Xenial: Fix Released Bug description: If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
** Also affects: glance (Ubuntu) Importance: Undecided Status: New ** Changed in: glance (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Glance: Fix Released Status in glance package in Ubuntu: Fix Released Status in glance source package in Trusty: In Progress Status in glance source package in Xenial: Fix Released Bug description: If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
Reviewed: https://review.openstack.org/233622 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=f07f36fa3789a4997b84639530e5d6ab1c603983 Submitter: Jenkins Branch:master commit f07f36fa3789a4997b84639530e5d6ab1c603983 Author: kairat_kushaevDate: Mon Oct 12 15:56:58 2015 +0300 Allow image-list if access to attrs is forbidden If access to some attributes is forbidden (f.e. get_image_location policy is set to role:admin and user is not admin) glance should just exclude these attributes from image-show, image-list output instead of generating Forbidden exception. Otherwise, the policies such as get_image_location is not useful. APIImpact SecurityImpact Change-Id: I5a6f587086e926a1f7e9b3f1dac9d7e10710d72a Closes-bug: #1502136 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1502136 Title: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set Status in Glance: Fix Released Bug description: If, in glance-api.conf you set: show_multiple_locations = true Things work as expected: $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 +--+--+ | Property | Value | +--+--+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae | | container_format | bare | | created_at | 2015-10-02T12:43:33Z | | disk_format | raw | | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 | | locations| [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", | | | "metadata": {}}] | | min_disk | 0 | | min_ram | 0 | | name | good-image | | owner| 88cffb9c8aee457788066c97b359585b | | protected| False | | size | 145 | | status | active | | tags | [] | | updated_at | 2015-10-02T12:43:34Z | | virtual_size | None | | visibility | private | +--+--+ but if you then set the get_image_location policy to role:admin, most calls return 403: $ glance --os-image-api-version 2 image-list 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410 403 Forbidden: You are not authorized to complete this action. (HTTP 403) etc. As https://review.openstack.org/#/c/48401/ says: 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500 This is v2 only, v1 works ok. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1502136/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp