Looks like there's nothing for Glance to do on this. Thanks for doing
the research to track down the fix, Abhishek.
** Changed in: glance
Status: New => Triaged
** Changed in: glance
Importance: Undecided => Medium
** Changed in: glance
Status: Triaged => Fix Released
** Changed in: glance
Milestone: None => queens-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1736332
Title:
Image verification returns 500 if invalid
'img_signature_certificate_uuid' is specified
Status in Glance:
Fix Released
Bug description:
If image signature verification is enabled then while creating the
image if invalid (non-existing) 'img_signature_certificate_uuid' is
specified then image creation fails and returns 500 internal server
error to the user. The reason is it returns
'ManagedObjectNotFoundError: Key not found, uuid: <non-existing-uuid>'
which is not caught.
Ideally it should return HTTP 400 bad request to the user.
Pre-requisites:
1. Ensure Barbican is enabled
2. Create Keys and Certificate (Reference
https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#90)
3. Create Signature (Reference
https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#184)
and note down output of 'signature_64'
4. Create context and upload certificate using context (Reference
https://etherpad.openstack.org/p/glance-image-signing-create-context) and note
down output of 'cert_uuid'
Steps to reproduce:
1. Upload Image to Glance, with Signature Metadata
img_signature_certificate_uuid = 'fb67edd2-95ef-404b-9af2-910708c6d9b7'
(different than noted in Pre-requisites section Point 4)
img_signature_hash_method = 'SHA-256'
img_signature_key_type = 'RSA-PSS'
img_signature =
'ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM='
(Same which is noted in Pre-requisites section Point 4 as 'signature_64')
$ glance image-create --property
name=cirrosSignedImage_goodSignature --property is-public=true
--container-format bare --disk-format qcow2 --property
img_signature='ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM='
--property img_signature_certificate_uuid='fb67edd2-95ef-404b-
9af2-910708c6d9b7' --property img_signature_hash_method='SHA-256'
--property img_signature_key_type='RSA-PSS' --file
cirros-0.3.2-source.tar.gz
Actual Output:
$ 500 Internal Server Error: The server has either erred or is incapable
of performing the requested operation. (HTTP 500)
Expected Output:
$ 400 HTTP Bad Request: Secret incorrectly specified. (HTTP 400)
NOTE: Image remains in queued status forever.
+--------------------------------+----------------------------------------------------------------------------------+
| Property | Value
|
+--------------------------------+----------------------------------------------------------------------------------+
| checksum | None
|
| container_format | bare
|
| created_at | 2017-12-05T06:25:51Z
|
| disk_format | qcow2
|
| id | c78598f5-23ac-46e8-8626-c908b5b830df
|
| img_signature |
ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4H
|
| |
BKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYb
|
| | bsqW6d/obgM=
|
| img_signature_certificate_uuid | fb67edd2-95ef-404b-9af2-910708c6d9b9
|
| img_signature_hash_method | SHA-256
|
| img_signature_key_type | RSA-PSS
|
| is-public | true
|
| min_disk | 0
|
| min_ram | 0
|
| name | cirrosSignedImage_goodSignature
|
| owner | 4f186fe25c934eeb95186fd0c5afda49
|
| protected | False
|
| size | None
|
| status | queued
|
| tags | []
|
| updated_at | 2017-12-05T06:25:51Z
|
| virtual_size | None
|
| visibility | shared
|
+--------------------------------+----------------------------------------------------------------------------------+
Glance-api logs:
ec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
barbicanclient.client [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo
admin] 4xx Client error: Not Found: Not Found. Sorry but your secret is in
another castle.
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
castellan.key_manager.barbican_key_manager [None
req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Error retrieving object:
Not Found: Not Found. Sorry but your secret is in another castle.:
HTTPClientError: Not Found: Not Found. Sorry but your secret is in another
castle.
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.api.v2.image_data [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo
admin] Failed to upload image data due to internal error:
ManagedObjectNotFoundError: Key not found, uuid:
fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin]
Caught error: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9:
ManagedObjectNotFoundError: Key not found, uuid:
fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi Traceback (most recent call last):
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1222,
in __call__
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi request, **action_args)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1261,
in dispatch
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi return method(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/common/utils.py", line 363,
in wrapped
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi return func(self, req, *args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line
269, in upload
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi self._restore(image_repo, image)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in
force_reraise
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line
134, in upload
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi image.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/domain/proxy.py", line 195,
in set_data
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi self.base.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 480, in
set_data
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi _send_notification(notify_error, 'image.upload', msg)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in
force_reraise
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 427, in
set_data
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi self.repo.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/api/policy.py", line 194,
in set_data
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi return self.image.set_data(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/quota/__init__.py", line
304, in set_data
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi self.image.set_data(data, size=size)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File "/opt/stack/glance/glance/location.py", line 427, in
set_data
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi img_signature_key_type=key_type
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 232, in
get_verifier
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi signature_key_type)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 287, in
get_public_key
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi certificate = get_certificate(context,
signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 316, in
get_certificate
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi cert = keymgr_api.get(context,
signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi File
"/usr/lib/python2.7/site-packages/castellan/key_manager/barbican_key_manager.py",
line 564, in get
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi uuid=managed_object_id)
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi ManagedObjectNotFoundError: Key not found, uuid:
fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: ERROR
glance.common.wsgi
Dec 05 06:25:51 signature-test.rdocloud [email protected][25628]: [pid:
25630|app: 0|req: 108/214] 127.0.0.1 () {40 vars in 692 bytes} [Tue Dec 5
06:25:51 2017] PUT /v2/images/c78598f5-23ac-46e8-8626-c908b5b830df/file =>
generated 228 bytes in 163 msecs (HTTP/1.1 500) 4 headers in 184 bytes (1
switches on core 0)
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1736332/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
