yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1231255] Re: Glance GET /v2/images fails with 500 due to erroneous policy check

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1231255@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Oct 2013 07:45:13 -0000
Reply-to: Bug 1231255 <1231255@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/51044
Committed: http://github.com/openstack/glance/commit/005904da775a809d4319310d6e3a79104aa27ba1
Submitter: Jenkins
Branch:    milestone-proposed

commit 005904da775a809d4319310d6e3a79104aa27ba1
Author: Fei Long Wang <flwang@xxxxxxxxxx>
Date:   Thu Sep 26 15:49:01 2013 +0800

    Glance GET /v2/images fails with 500 due to erroneous policy check
    
    This patch will fix below two issues of V2 ResponseSerializer for
    images-list, image-show, image-update and image-download.
    
    1. A user should be able to list/show/update/download image without
    needing permission on get_image_location.
    2. A policy failure should result in a 403 return code. We're
    getting a 500.
    
    Fixes bug 1231255
    
    Change-Id: Ie0ec2d574eea4433c4f610ec66a22cb16cae6dc6


** Changed in: glance
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1231255

Title:
  Glance GET /v2/images fails with 500 due to erroneous policy check

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released

Bug description:
  A user with 'viewer' authority per the following policy receives a 500 error when calling glance v2/images.
  The user is successfully able to get a list of images and details when calling /v1/images/detail.

  Policy:
  {
      "admin_only": "role:admin",
      "admin_or_deployer": "role:admin or role:deployer",
      "admin_or_deployer_or_viewer": "role:admin or role:deployer or role:viewer",
      "default": "rule:admin_or_deployer",

      "get_images": "rule:admin_or_deployer_or_viewer",
      "get_image": "rule:admin_or_deployer_or_viewer",
      "download_image": "rule:admin_or_deployer",
      "add_image": "rule:admin_or_deployer",
      "modify_image": "rule:admin_or_deployer",
      "publicize_image": "rule:admin_or_deployer",
      "delete_image": "rule:admin_or_deployer",

      "manage_image_cache": "role:admin"
  }

  Based on the investigation, it is due to a failed policy check on the
  'get_image_location' rule while the REST response is being serialized.

  There are several things wrong with this:
  1. A user should be able to list images without needing permission on get_image_location
  2. Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_multiple_location and CONF.show_image_direct_url. By default, both of them are False so the location would not be getting returned anyway, so there would be no need to do the policy check in this particular case.
  3. A policy failure should result in a 403 return code. We're getting a 500.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1231255/+subscriptions