Reviewed: https://review.openstack.org/51044 Committed: http://github.com/openstack/glance/commit/005904da775a809d4319310d6e3a79104aa27ba1 Submitter: Jenkins Branch: milestone-proposed
commit 005904da775a809d4319310d6e3a79104aa27ba1 Author: Fei Long Wang <[email protected]> Date: Thu Sep 26 15:49:01 2013 +0800 Glance GET /v2/images fails with 500 due to erroneous policy check This patch will fix below two issues of V2 ResponseSerializer for images-list, image-show, image-update and image-download. 1. A user should be able to list/show/update/download image without needing permission on get_image_location. 2. A policy failure should result in a 403 return code. We're getting a 500. Fixes bug 1231255 Change-Id: Ie0ec2d574eea4433c4f610ec66a22cb16cae6dc6 ** Changed in: glance Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1231255 Title: Glance GET /v2/images fails with 500 due to erroneous policy check Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Bug description: A user with 'viewer' authority per the following policy receives a 500 error when calling glance v2/images. The user is successfully able to get a list of images and details when calling /v1/images/detail. Policy: { "admin_only": "role:admin", "admin_or_deployer": "role:admin or role:deployer", "admin_or_deployer_or_viewer": "role:admin or role:deployer or role:viewer", "default": "rule:admin_or_deployer", "get_images": "rule:admin_or_deployer_or_viewer", "get_image": "rule:admin_or_deployer_or_viewer", "download_image": "rule:admin_or_deployer", "add_image": "rule:admin_or_deployer", "modify_image": "rule:admin_or_deployer", "publicize_image": "rule:admin_or_deployer", "delete_image": "rule:admin_or_deployer", "manage_image_cache": "role:admin" } Based on the investigation, it is due to a failed policy check on the 'get_image_location' rule while the REST response is being serialized. There are several things wrong with this: 1. A user should be able to list images without needing permission on get_image_location 2. Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_multiple_location and CONF.show_image_direct_url. By default, both of them are False so the location would not be getting returned anyway, so there would be no need to do the policy check in this particular case. 3. A policy failure should result in a 403 return code. We're getting a 500. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1231255/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
