** Changed in: glance/grizzly Assignee: (unassigned) => Stuart McLaren (stuart-mclaren)
** Changed in: glance/grizzly Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1235378 Title: 'image_download' role in v2 causes traceback Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance folsom series: Fix Committed Status in Glance grizzly series: Fix Released Status in OpenStack Security Advisories: In Progress Bug description: If you enable the 'image_download' policy as follows: { "context_is_admin": "role:admin", "download_image": "role:admin", <<< "default": "", "manage_image_cache": "role:admin" } And attempt to download using the v2 api you get 200 rather than 403 (but, correctly, no data) and a stack trace on the server: 6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'} 6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache 6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'} 6234 DEBUG glance.image_cache.drivers.sqlite [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not authorized to complete this action.), rolling back by moving '/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778' to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778' 6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not authorized to complete this action. 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent call last): 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in image_iter: 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in self.image.get_data(): 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache self.policy.enforce(self.context, 'download_image', {}) 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache exception.Forbidden, action=action) 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 123, in _check 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache return policy.check(rule, target, credentials, *args, **kwargs) 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache raise exc(*args, **kwargs) 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not authorized to complete this action. 2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py", line 402, in handle_one_response for data in result: File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter for chunk in image_iter: File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data for chunk in self.image.get_data(): File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data self.policy.enforce(self.context, 'download_image', {}) File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce exception.Forbidden, action=action) File "/opt/stack/glance/glance/api/policy.py", line 123, in _check return policy.check(rule, target, credentials, *args, **kwargs) File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check raise exc(*args, **kwargs) Forbidden: You are not authorized to complete this action. 6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] 10.6.249.22 - - [04/Oct/2013 17:34:47] "GET /v2/images/42c834df-3b35-4982-aed6-ffa4a44d3778/file HTTP/1.1" 200 0 0.048832 To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1235378/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp