← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1326781] [NEW] v2 api returns 200 with blank response (no image data) for download_image policy

 

Public bug reported:

v2 api returns 200 with blank response (no image data) for
download_image policy

If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api.
Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly.

Steps to reproduce:

1. Ensure following flavor is set in glance-api.conf
   [paste-deploy]
   flavor = keystone+cachemanagement

2. Disable cache
   a. Open /etc/glance/glance-api-paste.ini file.
   b. Remove cahce from following sections.
     [pipeline:glance-api-caching]
     [pipeline:glance-api-cachemanagement]
     [pipeline:glance-api-keystone+caching]
     [pipeline:glance-api-keystone+cachemanagement]
     [pipeline:glance-api-trusted-auth+cachemanagement]
   c. Save and exit from file.
   d. Restart the g-api (glance-api) service.

3. Ensure that 'download_image' policy is set in policy.json
   "download_image": "role:admin"

4. Download image using v2 api for role other than admin
   a. source openrc normal_user normal_user
   b. glance --os-image-api-version 2 image-download <image-id>
   
   Output:
   -------
   ''
   
   glance-api screen log:
   ----------------------
	2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last):
	  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response
		for data in result:
	  File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
		for chunk in self.image.get_data():
	  File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
		self.policy.enforce(self.context, 'download_image', {})
	  File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
		exception.Forbidden, action=action)
	  File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
		return policy.check(rule, target, credentials, *args, **kwargs)
	  File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check
		raise exc(*args, **kwargs)
	Forbidden: You are not authorized to complete this action.
	2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499

** Affects: glance
     Importance: Undecided
         Status: New


** Tags: ntt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1326781

Title:
  v2 api returns 200 with blank response (no image data) for
  download_image policy

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  v2 api returns 200 with blank response (no image data) for
  download_image policy

  If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api.
  Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly.

  Steps to reproduce:

  1. Ensure following flavor is set in glance-api.conf
     [paste-deploy]
     flavor = keystone+cachemanagement

  2. Disable cache
     a. Open /etc/glance/glance-api-paste.ini file.
     b. Remove cahce from following sections.
       [pipeline:glance-api-caching]
       [pipeline:glance-api-cachemanagement]
       [pipeline:glance-api-keystone+caching]
       [pipeline:glance-api-keystone+cachemanagement]
       [pipeline:glance-api-trusted-auth+cachemanagement]
     c. Save and exit from file.
     d. Restart the g-api (glance-api) service.

  3. Ensure that 'download_image' policy is set in policy.json
     "download_image": "role:admin"

  4. Download image using v2 api for role other than admin
     a. source openrc normal_user normal_user
     b. glance --os-image-api-version 2 image-download <image-id>
     
     Output:
     -------
     ''
     
     glance-api screen log:
     ----------------------
  	2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last):
  	  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response
  		for data in result:
  	  File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
  		for chunk in self.image.get_data():
  	  File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
  		self.policy.enforce(self.context, 'download_image', {})
  	  File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
  		exception.Forbidden, action=action)
  	  File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
  		return policy.check(rule, target, credentials, *args, **kwargs)
  	  File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check
  		raise exc(*args, **kwargs)
  	Forbidden: You are not authorized to complete this action.
  	2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1326781/+subscriptions


Follow ups

References