← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1387973] [NEW] Normal user not able to download image if protected property is not associated with the image with restrict-download policy

 

Public bug reported:

If restrict download rule is configured in policy.json, and image is
added without protected property mentioned in "restricted" rule, then
normal users (other than admin) not able to download the image.

Steps to reproduce:

1. Create normal_user with _member_ role using horizon

2. Configure download rule in policy.json

   "download_image": "role:admin or rule:restricted",
   "restricted": "not ('test_1234':%(test_key)s and role:_member_)",

3. Restart glance-api service

4. create image without property 'test_key' with admin user

   i. source devstack/openrc admin admin
   ii. glance image-create
   iii. glance image-update <image_id> --name non_protected --disk-format qcow2 --container-format bare --is-public True --file /home/openstack/api.log

5. Try to download the newly created image with normal_user.

   i. source devstack/openrc normal_user admin
   ii. glance image-download <image_id>

It returns 403 Forbidden response to the user, where as admin user can
download the image successfully.

Expected behavior is all users can download the images if restricted
property is not added.

Note:
With the current oslo-incubator policy module, this issue is not reproducible.

** Affects: glance
     Importance: Undecided
         Status: New


** Tags: ntt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1387973

Title:
  Normal user not able to download image if protected property is not
  associated with the image with restrict-download policy

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  If restrict download rule is configured in policy.json, and image is
  added without protected property mentioned in "restricted" rule, then
  normal users (other than admin) not able to download the image.

  Steps to reproduce:

  1. Create normal_user with _member_ role using horizon

  2. Configure download rule in policy.json

     "download_image": "role:admin or rule:restricted",
     "restricted": "not ('test_1234':%(test_key)s and role:_member_)",

  3. Restart glance-api service

  4. create image without property 'test_key' with admin user

     i. source devstack/openrc admin admin
     ii. glance image-create
     iii. glance image-update <image_id> --name non_protected --disk-format qcow2 --container-format bare --is-public True --file /home/openstack/api.log

  5. Try to download the newly created image with normal_user.

     i. source devstack/openrc normal_user admin
     ii. glance image-download <image_id>

  It returns 403 Forbidden response to the user, where as admin user can
  download the image successfully.

  Expected behavior is all users can download the images if restricted
  property is not added.

  Note:
  With the current oslo-incubator policy module, this issue is not reproducible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1387973/+subscriptions


Follow ups

References