yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #05901
[Bug 1235378] Re: 'image_download' role in v2 causes traceback
[OSSA 2013-027]
** Changed in: ossa
Status: Fix Committed => Fix Released
** Summary changed:
- 'image_download' role in v2 causes traceback
+ [OSSA 2013-027] 'image_download' role in v2 causes traceback
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1235378
Title:
[OSSA 2013-027] 'image_download' role in v2 causes traceback
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in Glance folsom series:
Fix Committed
Status in Glance grizzly series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
If you enable the 'image_download' policy as follows:
{
"context_is_admin": "role:admin",
"download_image": "role:admin", <<<
"default": "",
"manage_image_cache": "role:admin"
}
And attempt to download using the v2 api you get 200 rather than 403 (but, correctly, no data)
and a stack trace on the server:
6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache
6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
6234 DEBUG glance.image_cache.drivers.sqlite [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not authorized to complete this action.), rolling back by moving '/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778' to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778'
6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent call last):
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in image_iter:
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache for chunk in self.image.get_data():
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache self.policy.enforce(self.context, 'download_image', {})
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache exception.Forbidden, action=action)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache return policy.check(rule, target, credentials, *args, **kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache raise exc(*args, **kwargs)
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not authorized to complete this action.
2013-10-04 17:34:47.678 6234 TRACE glance.image_cache
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py", line 402, in handle_one_response
for data in result:
File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
for chunk in image_iter:
File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
for chunk in self.image.get_data():
File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
self.policy.enforce(self.context, 'download_image', {})
File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
exception.Forbidden, action=action)
File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
return policy.check(rule, target, credentials, *args, **kwargs)
File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
raise exc(*args, **kwargs)
Forbidden: You are not authorized to complete this action.
6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] 10.6.249.22 - - [04/Oct/2013 17:34:47] "GET /v2/images/42c834df-3b35-4982-aed6-ffa4a44d3778/file HTTP/1.1" 200 0 0.048832
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1235378/+subscriptions
