[Yahoo-eng-team] [Bug 1326781] [NEW] v2 api returns 200 with blank response (no image data) for download_image policy

Thu, 05 Jun 2014 06:06:06 -0700 

Public bug reported:

v2 api returns 200 with blank response (no image data) for
download_image policy

If you have enabled download_image policy in policy.json to "role:admin" then 
it should return 403 error if user other admin role is calling image-download 
api.
Presently it is returning 200 with blank response (no image data). If you 
enable cache filter, then it returns 403 error correctly.

Steps to reproduce:

1. Ensure following flavor is set in glance-api.conf
   [paste-deploy]
   flavor = keystone+cachemanagement

2. Disable cache
   a. Open /etc/glance/glance-api-paste.ini file.
   b. Remove cahce from following sections.
     [pipeline:glance-api-caching]
     [pipeline:glance-api-cachemanagement]
     [pipeline:glance-api-keystone+caching]
     [pipeline:glance-api-keystone+cachemanagement]
     [pipeline:glance-api-trusted-auth+cachemanagement]
   c. Save and exit from file.
   d. Restart the g-api (glance-api) service.

3. Ensure that 'download_image' policy is set in policy.json
   "download_image": "role:admin"

4. Download image using v2 api for role other than admin
   a. source openrc normal_user normal_user
   b. glance --os-image-api-version 2 image-download <image-id>
   
   Output:
   -------
   ''
   
   glance-api screen log:
   ----------------------
        2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback 
(most recent call last):
          File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, 
in handle_one_response
                for data in result:
          File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
                for chunk in self.image.get_data():
          File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
                self.policy.enforce(self.context, 'download_image', {})
          File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
                exception.Forbidden, action=action)
          File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
                return policy.check(rule, target, credentials, *args, **kwargs)
          File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, 
in check
                raise exc(*args, **kwargs)
        Forbidden: You are not authorized to complete this action.
        2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 
- - [05/Jun/2014 12:45:00] "GET 
/v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499

** Affects: glance
     Importance: Undecided
         Status: New


** Tags: ntt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1326781

Title:
  v2 api returns 200 with blank response (no image data) for
  download_image policy

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  v2 api returns 200 with blank response (no image data) for
  download_image policy

  If you have enabled download_image policy in policy.json to "role:admin" then 
it should return 403 error if user other admin role is calling image-download 
api.
  Presently it is returning 200 with blank response (no image data). If you 
enable cache filter, then it returns 403 error correctly.

  Steps to reproduce:

  1. Ensure following flavor is set in glance-api.conf
     [paste-deploy]
     flavor = keystone+cachemanagement

  2. Disable cache
     a. Open /etc/glance/glance-api-paste.ini file.
     b. Remove cahce from following sections.
       [pipeline:glance-api-caching]
       [pipeline:glance-api-cachemanagement]
       [pipeline:glance-api-keystone+caching]
       [pipeline:glance-api-keystone+cachemanagement]
       [pipeline:glance-api-trusted-auth+cachemanagement]
     c. Save and exit from file.
     d. Restart the g-api (glance-api) service.

  3. Ensure that 'download_image' policy is set in policy.json
     "download_image": "role:admin"

  4. Download image using v2 api for role other than admin
     a. source openrc normal_user normal_user
     b. glance --os-image-api-version 2 image-download <image-id>
     
     Output:
     -------
     ''
     
     glance-api screen log:
     ----------------------
        2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback 
(most recent call last):
          File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, 
in handle_one_response
                for data in result:
          File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
                for chunk in self.image.get_data():
          File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
                self.policy.enforce(self.context, 'download_image', {})
          File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
                exception.Forbidden, action=action)
          File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
                return policy.check(rule, target, credentials, *args, **kwargs)
          File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, 
in check
                raise exc(*args, **kwargs)
        Forbidden: You are not authorized to complete this action.
        2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 
- - [05/Jun/2014 12:45:00] "GET 
/v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1326781/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to