Public bug reported: v2 api returns 200 with blank response (no image data) for download_image policy
If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api. Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly. Steps to reproduce: 1. Ensure following flavor is set in glance-api.conf [paste-deploy] flavor = keystone+cachemanagement 2. Disable cache a. Open /etc/glance/glance-api-paste.ini file. b. Remove cahce from following sections. [pipeline:glance-api-caching] [pipeline:glance-api-cachemanagement] [pipeline:glance-api-keystone+caching] [pipeline:glance-api-keystone+cachemanagement] [pipeline:glance-api-trusted-auth+cachemanagement] c. Save and exit from file. d. Restart the g-api (glance-api) service. 3. Ensure that 'download_image' policy is set in policy.json "download_image": "role:admin" 4. Download image using v2 api for role other than admin a. source openrc normal_user normal_user b. glance --os-image-api-version 2 image-download <image-id> Output: ------- '' glance-api screen log: ---------------------- 2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response for data in result: File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data for chunk in self.image.get_data(): File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data self.policy.enforce(self.context, 'download_image', {}) File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce exception.Forbidden, action=action) File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check return policy.check(rule, target, credentials, *args, **kwargs) File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check raise exc(*args, **kwargs) Forbidden: You are not authorized to complete this action. 2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499 ** Affects: glance Importance: Undecided Status: New ** Tags: ntt -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1326781 Title: v2 api returns 200 with blank response (no image data) for download_image policy Status in OpenStack Image Registry and Delivery Service (Glance): New Bug description: v2 api returns 200 with blank response (no image data) for download_image policy If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api. Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly. Steps to reproduce: 1. Ensure following flavor is set in glance-api.conf [paste-deploy] flavor = keystone+cachemanagement 2. Disable cache a. Open /etc/glance/glance-api-paste.ini file. b. Remove cahce from following sections. [pipeline:glance-api-caching] [pipeline:glance-api-cachemanagement] [pipeline:glance-api-keystone+caching] [pipeline:glance-api-keystone+cachemanagement] [pipeline:glance-api-trusted-auth+cachemanagement] c. Save and exit from file. d. Restart the g-api (glance-api) service. 3. Ensure that 'download_image' policy is set in policy.json "download_image": "role:admin" 4. Download image using v2 api for role other than admin a. source openrc normal_user normal_user b. glance --os-image-api-version 2 image-download <image-id> Output: ------- '' glance-api screen log: ---------------------- 2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response for data in result: File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data for chunk in self.image.get_data(): File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data self.policy.enforce(self.context, 'download_image', {}) File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce exception.Forbidden, action=action) File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check return policy.check(rule, target, credentials, *args, **kwargs) File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check raise exc(*args, **kwargs) Forbidden: You are not authorized to complete this action. 2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499 To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1326781/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp