yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1326781] Re: v2 api returns 200 with blank response (no image data) for download_image policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Russell Bryant <1326781@xxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jul 2014 14:05:54 -0000
Reply-to: Bug 1326781 <1326781@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance
       Status: Fix Committed => Fix Released

** Changed in: glance
    Milestone: None => juno-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1326781

Title:
  v2 api returns 200 with blank response (no image data) for
  download_image policy

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released

Bug description:
  v2 api returns 200 with blank response (no image data) for
  download_image policy

  If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api.
  Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly.

  Steps to reproduce:

  1. Ensure following flavor is set in glance-api.conf
     [paste-deploy]
     flavor = keystone+cachemanagement

  2. Disable cache
     a. Open /etc/glance/glance-api-paste.ini file.
     b. Remove cahce from following sections.
       [pipeline:glance-api-caching]
       [pipeline:glance-api-cachemanagement]
       [pipeline:glance-api-keystone+caching]
       [pipeline:glance-api-keystone+cachemanagement]
       [pipeline:glance-api-trusted-auth+cachemanagement]
     c. Save and exit from file.
     d. Restart the g-api (glance-api) service.

  3. Ensure that 'download_image' policy is set in policy.json
     "download_image": "role:admin"

  4. Download image using v2 api for role other than admin
     a. source openrc normal_user normal_user
     b. glance --os-image-api-version 2 image-download <image-id>
     
     Output:
     -------
     ''
     
     glance-api screen log:
     ----------------------
  	2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last):
  	  File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response
  		for data in result:
  	  File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
  		for chunk in self.image.get_data():
  	  File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
  		self.policy.enforce(self.context, 'download_image', {})
  	  File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
  		exception.Forbidden, action=action)
  	  File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
  		return policy.check(rule, target, credentials, *args, **kwargs)
  	  File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check
  		raise exc(*args, **kwargs)
  	Forbidden: You are not authorized to complete this action.
  	2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1326781/+subscriptions

References

[Bug 1326781] [NEW] v2 api returns 200 with blank response (no image data) for download_image policy
From: Abhishek Kekane, 2014-06-05