** Changed in: glance/grizzly
Assignee: (unassigned) => Stuart McLaren (stuart-mclaren)
** Changed in: glance/grizzly
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1235378
Title:
'image_download' role in v2 causes traceback
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in Glance folsom series:
Fix Committed
Status in Glance grizzly series:
Fix Released
Status in OpenStack Security Advisories:
In Progress
Bug description:
If you enable the 'image_download' policy as follows:
{
"context_is_admin": "role:admin",
"download_image": "role:admin", <<<
"default": "",
"manage_image_cache": "role:admin"
}
And attempt to download using the v2 api you get 200 rather than 403 (but,
correctly, no data)
and a stack trace on the server:
6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded
policy rules: {u'context_is_admin': 'role:admin', u'download_image':
'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing
image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache
6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded
policy rules: {u'context_is_admin': 'role:admin', u'download_image':
'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache.drivers.sqlite
[acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37
f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not
authorized to complete this action.), rolling back by moving
'/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778'
to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778'
6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not
authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent
call last):
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File
"/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in
image_iter:
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File
"/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in
self.image.get_data():
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File
"/opt/stack/glance/glance/api/policy.py", line 225, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache
self.policy.enforce(self.context, 'download_image', {})
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File
"/opt/stack/glance/glance/api/policy.py", line 135, in enforce
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache
exception.Forbidden, action=action)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File
"/opt/stack/glance/glance/api/policy.py", line 123, in _check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache return
policy.check(rule, target, credentials, *args, **kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File
"/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache raise exc(*args,
**kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not
authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Traceback
(most recent call last):
File "/usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py", line 402,
in handle_one_response
for data in result:
File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in
cache_tee_iter
for chunk in image_iter:
File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
for chunk in self.image.get_data():
File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
self.policy.enforce(self.context, 'download_image', {})
File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
exception.Forbidden, action=action)
File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
return policy.check(rule, target, credentials, *args, **kwargs)
File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in
check
raise exc(*args, **kwargs)
Forbidden: You are not authorized to complete this action.
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740
a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] 10.6.249.22
- - [04/Oct/2013 17:34:47] "GET
/v2/images/42c834df-3b35-4982-aed6-ffa4a44d3778/file HTTP/1.1" 200 0 0.048832
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1235378/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
