← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1235378] Re: 'image_download' role in v2 causes traceback

 

[OSSA 2013-027]

** Changed in: ossa
       Status: Fix Committed => Fix Released

** Summary changed:

- 'image_download' role in v2 causes traceback
+ [OSSA 2013-027] 'image_download' role in v2 causes traceback

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1235378

Title:
  [OSSA 2013-027] 'image_download' role in v2 causes traceback

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance folsom series:
  Fix Committed
Status in Glance grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  If you enable the 'image_download' policy as follows:


   { 
      "context_is_admin":  "role:admin",
      "download_image":  "role:admin", <<<
      "default": "",
      "manage_image_cache": "role:admin"
   }

  And attempt to download using the v2 api you get 200 rather than 403 (but, correctly, no data) 
  and a stack trace on the server:

  6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
  6234 DEBUG glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Tee'ing image '42c834df-3b35-4982-aed6-ffa4a44d3778' into cache
  6234 DEBUG glance.api.policy [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Loaded policy rules: {u'context_is_admin': 'role:admin', u'download_image': 'role:admin', u'default': '@', u'manage_image_cache': 'role:admin'}
  6234 DEBUG glance.image_cache.drivers.sqlite [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Fetch of cache file failed (You are not authorized to complete this action.), rolling back by moving '/opt/stack/data/glance/cache/incomplete/42c834df-3b35-4982-aed6-ffa4a44d3778' to '/opt/stack/data/glance/cache/invalid/42c834df-3b35-4982-aed6-ffa4a44d3778'
  6234 ERROR glance.image_cache [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] You are not authorized to complete this action.
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Traceback (most recent call last):
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     for chunk in image_iter:
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     for chunk in self.image.get_data():
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     self.policy.enforce(self.context, 'download_image', {})
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     exception.Forbidden, action=action)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     return policy.check(rule, target, credentials, *args, **kwargs)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache   File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache     raise exc(*args, **kwargs)
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache Forbidden: You are not authorized to complete this action.
  2013-10-04 17:34:47.678 6234 TRACE glance.image_cache 
  6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] Traceback (most recent call last):
    File "/usr/local/lib/python2.7/dist-packages/eventlet/wsgi.py", line 402, in handle_one_response
      for data in result:
    File "/opt/stack/glance/glance/image_cache/__init__.py", line 238, in cache_tee_iter
      for chunk in image_iter:
    File "/opt/stack/glance/glance/notifier/__init__.py", line 182, in get_data
      for chunk in self.image.get_data():
    File "/opt/stack/glance/glance/api/policy.py", line 225, in get_data
      self.policy.enforce(self.context, 'download_image', {})
    File "/opt/stack/glance/glance/api/policy.py", line 135, in enforce
      exception.Forbidden, action=action)
    File "/opt/stack/glance/glance/api/policy.py", line 123, in _check
      return policy.check(rule, target, credentials, *args, **kwargs)
    File "/opt/stack/glance/glance/openstack/common/policy.py", line 183, in check
      raise exc(*args, **kwargs)
  Forbidden: You are not authorized to complete this action.
  6234 DEBUG eventlet.wsgi.server [acaf8321-9f3c-439a-8028-46921ea56740 a9befd28bf704839b62aecbf6afacd37 f6e065403d57444aa973fc10c655dedd] 10.6.249.22 - - [04/Oct/2013 17:34:47] "GET /v2/images/42c834df-3b35-4982-aed6-ffa4a44d3778/file HTTP/1.1" 200 0 0.048832

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1235378/+subscriptions