yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #15239
[Bug 1326781] [NEW] v2 api returns 200 with blank response (no image data) for download_image policy
Public bug reported:
v2 api returns 200 with blank response (no image data) for
download_image policy
If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api.
Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly.
Steps to reproduce:
1. Ensure following flavor is set in glance-api.conf
[paste-deploy]
flavor = keystone+cachemanagement
2. Disable cache
a. Open /etc/glance/glance-api-paste.ini file.
b. Remove cahce from following sections.
[pipeline:glance-api-caching]
[pipeline:glance-api-cachemanagement]
[pipeline:glance-api-keystone+caching]
[pipeline:glance-api-keystone+cachemanagement]
[pipeline:glance-api-trusted-auth+cachemanagement]
c. Save and exit from file.
d. Restart the g-api (glance-api) service.
3. Ensure that 'download_image' policy is set in policy.json
"download_image": "role:admin"
4. Download image using v2 api for role other than admin
a. source openrc normal_user normal_user
b. glance --os-image-api-version 2 image-download <image-id>
Output:
-------
''
glance-api screen log:
----------------------
2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response
for data in result:
File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
for chunk in self.image.get_data():
File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
self.policy.enforce(self.context, 'download_image', {})
File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
exception.Forbidden, action=action)
File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
return policy.check(rule, target, credentials, *args, **kwargs)
File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check
raise exc(*args, **kwargs)
Forbidden: You are not authorized to complete this action.
2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499
** Affects: glance
Importance: Undecided
Status: New
** Tags: ntt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1326781
Title:
v2 api returns 200 with blank response (no image data) for
download_image policy
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Bug description:
v2 api returns 200 with blank response (no image data) for
download_image policy
If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api.
Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly.
Steps to reproduce:
1. Ensure following flavor is set in glance-api.conf
[paste-deploy]
flavor = keystone+cachemanagement
2. Disable cache
a. Open /etc/glance/glance-api-paste.ini file.
b. Remove cahce from following sections.
[pipeline:glance-api-caching]
[pipeline:glance-api-cachemanagement]
[pipeline:glance-api-keystone+caching]
[pipeline:glance-api-keystone+cachemanagement]
[pipeline:glance-api-trusted-auth+cachemanagement]
c. Save and exit from file.
d. Restart the g-api (glance-api) service.
3. Ensure that 'download_image' policy is set in policy.json
"download_image": "role:admin"
4. Download image using v2 api for role other than admin
a. source openrc normal_user normal_user
b. glance --os-image-api-version 2 image-download <image-id>
Output:
-------
''
glance-api screen log:
----------------------
2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response
for data in result:
File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
for chunk in self.image.get_data():
File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
self.policy.enforce(self.context, 'download_image', {})
File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
exception.Forbidden, action=action)
File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
return policy.check(rule, target, credentials, *args, **kwargs)
File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check
raise exc(*args, **kwargs)
Forbidden: You are not authorized to complete this action.
2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1326781/+subscriptions
Follow ups
References