** Description changed:
+ [Impact]
+
If, in glance-api.conf you set:
- show_multiple_locations = true
+ show_multiple_locations = true
Things work as expected:
- $ glance --os-image-api-version 2 image-show
13ae74f0-74bf-4792-a8bb-7c622abc5410
-
+------------------+----------------------------------------------------------------------------------+
- | Property | Value
|
-
+------------------+----------------------------------------------------------------------------------+
- | checksum | 9cb02fe7fcac26f8a25d6db3109063ae
|
- | container_format | bare
|
- | created_at | 2015-10-02T12:43:33Z
|
- | disk_format | raw
|
- | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410
|
- | locations | [{"url":
"swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", |
- | | "metadata": {}}]
|
- | min_disk | 0
|
- | min_ram | 0
|
- | name | good-image
|
- | owner | 88cffb9c8aee457788066c97b359585b
|
- | protected | False
|
- | size | 145
|
- | status | active
|
- | tags | []
|
- | updated_at | 2015-10-02T12:43:34Z
|
- | virtual_size | None
|
- | visibility | private
|
-
+------------------+----------------------------------------------------------------------------------+
+ $ glance --os-image-api-version 2 image-show
13ae74f0-74bf-4792-a8bb-7c622abc5410
+
+------------------+----------------------------------------------------------------------------------+
+ | Property | Value
|
+
+------------------+----------------------------------------------------------------------------------+
+ | checksum | 9cb02fe7fcac26f8a25d6db3109063ae
|
+ | container_format | bare
|
+ | created_at | 2015-10-02T12:43:33Z
|
+ | disk_format | raw
|
+ | id | 13ae74f0-74bf-4792-a8bb-7c622abc5410
|
+ | locations | [{"url":
"swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", |
+ | | "metadata": {}}]
|
+ | min_disk | 0
|
+ | min_ram | 0
|
+ | name | good-image
|
+ | owner | 88cffb9c8aee457788066c97b359585b
|
+ | protected | False
|
+ | size | 145
|
+ | status | active
|
+ | tags | []
|
+ | updated_at | 2015-10-02T12:43:34Z
|
+ | virtual_size | None
|
+ | visibility | private
|
+
+------------------+----------------------------------------------------------------------------------+
but if you then set the get_image_location policy to role:admin, most
calls return 403:
- $ glance --os-image-api-version 2 image-list
- 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
+ $ glance --os-image-api-version 2 image-list
+ 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
- $ glance --os-image-api-version 2 image-show
13ae74f0-74bf-4792-a8bb-7c622abc5410
- 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
+ $ glance --os-image-api-version 2 image-show
13ae74f0-74bf-4792-a8bb-7c622abc5410
+ 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
- $ glance --os-image-api-version 2 image-delete
13ae74f0-74bf-4792-a8bb-7c622abc5410
- 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
+ $ glance --os-image-api-version 2 image-delete
13ae74f0-74bf-4792-a8bb-7c622abc5410
+ 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
etc.
As https://review.openstack.org/#/c/48401/ says:
- 1. A user should be able to list/show/update/download image without
- needing permission on get_image_location.
- 2. A policy failure should result in a 403 return code. We're
- getting a 500
+ 1. A user should be able to list/show/update/download image without
+ needing permission on get_image_location.
+ 2. A policy failure should result in a 403 return code. We're
+ getting a 500
This is v2 only, v1 works ok.
+
+ [Test Case]
+
+ - Set show_multiple_locations = true on glance-api.conf
+ - Set get_image_location policy to role:admin in /etc/glance/policy.json
+ - Run glance --os-image-api-version 2 image-show
13ae74f0-74bf-4792-a8bb-7c622abc5410 , This should work.
+
+ [Regression Potential]
+
+ * None Identified
+
+ [Other Info]
+
+ * Already backported to mitaka/newton.
** Tags added: sts sts-sru-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1502136
Title:
Everything returns 403 if show_multiple_locations is true and
get_image_location policy is set
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1502136/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
