yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: glance
       Status: Fix Committed => Fix Released

** Changed in: glance
    Milestone: None => kilo-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1387973

Title:
  Normal user not able to download image if protected property is not
  associated with the image with restrict-download policy

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance juno series:
  Fix Released

Bug description:
  If restrict download rule is configured in policy.json, and image is
  added without protected property mentioned in "restricted" rule, then
  normal users (other than admin) not able to download the image.

  Steps to reproduce:

  1. Create normal_user with _member_ role using horizon

  2. Configure download rule in policy.json

     "download_image": "role:admin or rule:restricted",
     "restricted": "not ('test_1234':%(test_key)s and role:_member_)",

  3. Restart glance-api service

  4. create image without property 'test_key' with admin user

     i. source devstack/openrc admin admin
     ii. glance image-create
     iii. glance image-update <image_id> --name non_protected --disk-format qcow2 --container-format bare --is-public True --file /home/openstack/api.log

  5. Try to download the newly created image with normal_user.

     i. source devstack/openrc normal_user admin
     ii. glance image-download <image_id>

  It returns 403 Forbidden response to the user, where as admin user can
  download the image successfully.

  Expected behavior is all users can download the images if restricted
  property is not added.

  Note:
  https://review.openstack.org/#/c/127923/ 
  The above policy sync patch will solve this issue for Kilo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1387973/+subscriptions