yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1235378] [NEW] 'image_download' role in v2 causes traceback

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1235378@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Oct 2013 17:45:53 -0000
Reply-to: Bug 1235378 <1235378@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
You have been subscribed to a public bug:

If you enable the 'image_download' policy as follows:


 { 
    "context_is_admin":  "role:admin",
    "download_image":  "role:admin", <<<
    "default": "",
    "manage_image_cache": "role:admin"
 }

And attempt to download using the v2 api you get 200 rather than 403 (but, correctly, no data) 
and a stack trace on the server:

6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache
6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache.drivers.sqlite [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not authorized to complete this action.), rolling back by moving '/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778' to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778'
6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent call last):
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     for chunk in image_iter:
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     for chunk in self.image.get_data():
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     self.policy.enforce(self.context, 'download_image', {})
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     exception.Forbidden, action=action)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     return policy.check(rule, target, credentials, *args, **kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     raise exc(*args, **kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py", line 402, in handle_one_response
    for data in result:
  File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
    for chunk in image_iter:
  File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
    for chunk in self.image.get_data():
  File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
    self.policy.enforce(self.context, 'download_image', {})
  File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
    exception.Forbidden, action=action)
  File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
    return policy.check(rule, target, credentials, *args, **kwargs)
  File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
    raise exc(*args, **kwargs)
Forbidden: You are not authorized to complete this action.
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] 10.6.249.22 - - [04/Oct/2013 17:34:47] "GET /v2/images/42c834df-3b35-4982-aed6-ffa4a44d3778/file HTTP/1.1" 200 0 0.048832

** Affects: glance
     Importance: Undecided
         Status: New


** Tags: havana-rc-potential
-- 
'image_download' role in v2 causes traceback
https://bugs.launchpad.net/bugs/1235378
You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance.