yahoo-eng-team team mailing list archive

[Alex Meade <1287888@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Api v2: GET /images/<uuid> on an unowned, public image returns a 403 if
show_image_direct_url is true

When doing a show on an image in v2 of the api, if the config value for
‘show_image_direct_url’ is set to True, then a 403 is returned for
images not owned by the user.

$ glance --os-image-api-version 2 image-show b26590c4-d7d8-4348-a8d9-664cd7773f5c
Request returned failure status.
403 Forbidden
You are not permitted to modify locations for this image.
    (HTTP 403)


This occurs because glance/api/authorization.py is using the ImmutableLocations proxy for the locations field on the image and the api code is trying to manipulate this object.

In glance/api/v2/images.py:

586             if CONF.show_image_direct_url and image.locations:
587                 # Choose best location configured strategy
588                 best_location = (
589                     location_strategy.choose_best_location(image.locations))
590                 image_view['direct_url'] = best_location['url']

The ‘choose_best_location’ function is calling ‘get_ordered_locations’
which is attempting to do a deep copy of the ImmutableLocation object
which will eventually try to call ‘append’, resulting in a Forbidden
being raised. Printing the system stack before raising the Forbidden
results in this stack trace:  http://paste.openstack.org/show/72301/

** Affects: glance
     Importance: High
     Assignee: Alex Meade (alex-meade)
         Status: In Progress

** Summary changed:

- Api v2: show_image_direct_url can cause unwarranted 403s when performing aGET /images/<uuid>
+ Api v2: show_image_direct_url can cause unwarranted 403s when performing a GET /images/<uuid>

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1287888

Title:
  Api v2: show_image_direct_url can cause unwarranted 403s when
  performing a GET /images/<uuid>

Status in OpenStack Image Registry and Delivery Service (Glance):
  In Progress

Bug description:
  Api v2: GET /images/<uuid> on an unowned, public image returns a 403
  if show_image_direct_url is true

  When doing a show on an image in v2 of the api, if the config value
  for ‘show_image_direct_url’ is set to True, then a 403 is returned for
  images not owned by the user.

  $ glance --os-image-api-version 2 image-show b26590c4-d7d8-4348-a8d9-664cd7773f5c
  Request returned failure status.
  403 Forbidden
  You are not permitted to modify locations for this image.
      (HTTP 403)

  
  This occurs because glance/api/authorization.py is using the ImmutableLocations proxy for the locations field on the image and the api code is trying to manipulate this object.

  In glance/api/v2/images.py:

  586             if CONF.show_image_direct_url and image.locations:
  587                 # Choose best location configured strategy
  588                 best_location = (
  589                     location_strategy.choose_best_location(image.locations))
  590                 image_view['direct_url'] = best_location['url']

  The ‘choose_best_location’ function is calling ‘get_ordered_locations’
  which is attempting to do a deep copy of the ImmutableLocation object
  which will eventually try to call ‘append’, resulting in a Forbidden
  being raised. Printing the system stack before raising the Forbidden
  results in this stack trace:  http://paste.openstack.org/show/72301/

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1287888/+subscriptions