yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25142
[Bug 1387973] Re: Normal user not able to download image if protected property is not associated with the image with restrict-download policy
** Also affects: glance/juno
Importance: Undecided
Status: New
** Changed in: glance/juno
Status: New => Fix Committed
** Changed in: glance/juno
Milestone: None => 2014.2.1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1387973
Title:
Normal user not able to download image if protected property is not
associated with the image with restrict-download policy
Status in OpenStack Image Registry and Delivery Service (Glance):
In Progress
Status in Glance juno series:
Fix Committed
Bug description:
If restrict download rule is configured in policy.json, and image is
added without protected property mentioned in "restricted" rule, then
normal users (other than admin) not able to download the image.
Steps to reproduce:
1. Create normal_user with _member_ role using horizon
2. Configure download rule in policy.json
"download_image": "role:admin or rule:restricted",
"restricted": "not ('test_1234':%(test_key)s and role:_member_)",
3. Restart glance-api service
4. create image without property 'test_key' with admin user
i. source devstack/openrc admin admin
ii. glance image-create
iii. glance image-update <image_id> --name non_protected --disk-format qcow2 --container-format bare --is-public True --file /home/openstack/api.log
5. Try to download the newly created image with normal_user.
i. source devstack/openrc normal_user admin
ii. glance image-download <image_id>
It returns 403 Forbidden response to the user, where as admin user can
download the image successfully.
Expected behavior is all users can download the images if restricted
property is not added.
Note:
https://review.openstack.org/#/c/127923/
The above policy sync patch will solve this issue for Kilo.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1387973/+subscriptions
References