← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #12889

[Bug 1287888] Re: Api v2: show_image_direct_url can cause unwarranted 403s when performing a GET /images/<uuid>

  Thread PreviousDate PreviousThread Next 
** Changed in: glance
       Status: Fix Committed => Fix Released

** Changed in: glance
    Milestone: None => icehouse-rc1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1287888

Title:
  Api v2: show_image_direct_url can cause unwarranted 403s when
  performing a GET /images/<uuid>

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released

Bug description:
  Api v2: GET /images/<uuid> on an unowned, public image returns a 403
  if show_image_direct_url is true

  When doing a show on an image in v2 of the api, if the config value
  for ‘show_image_direct_url’ is set to True, then a 403 is returned for
  images not owned by the user.

  $ glance --os-image-api-version 2 image-show b26590c4-d7d8-4348-a8d9-664cd7773f5c
  Request returned failure status.
  403 Forbidden
  You are not permitted to modify locations for this image.
      (HTTP 403)

  
  This occurs because glance/api/authorization.py is using the ImmutableLocations proxy for the locations field on the image and the api code is trying to manipulate this object.

  In glance/api/v2/images.py:

  586             if CONF.show_image_direct_url and image.locations:
  587                 # Choose best location configured strategy
  588                 best_location = (
  589                     location_strategy.choose_best_location(image.locations))
  590                 image_view['direct_url'] = best_location['url']

  The ‘choose_best_location’ function is calling ‘get_ordered_locations’
  which is attempting to do a deep copy of the ImmutableLocation object
  which will eventually try to call ‘append’, resulting in a Forbidden
  being raised. Printing the system stack before raising the Forbidden
  results in this stack trace:  http://paste.openstack.org/show/72301/

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1287888/+subscriptions

References

  Thread PreviousDate PreviousThread Next