yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #39548
[Bug 1502136] [NEW] Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
Public bug reported:
If, in glance-api.conf you set:
show_multiple_locations = true
Things work as expected:
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | 9cb02fe7fcac26f8a25d6db3109063ae |
| container_format | bare |
| created_at | 2015-10-02T12:43:33Z |
| disk_format | raw |
| id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 |
| locations | [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", |
| | "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good-image |
| owner | 88cffb9c8aee457788066c97b359585b |
| protected | False |
| size | 145 |
| status | active |
| tags | [] |
| updated_at | 2015-10-02T12:43:34Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
but if you then set the get_image_location policy to role:admin, most
calls return 403:
$ glance --os-image-api-version 2 image-list
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
etc.
As https://review.openstack.org/#/c/48401/ says:
1. A user should be able to list/show/update/download image without
needing permission on get_image_location.
2. A policy failure should result in a 403 return code. We're
getting a 500
This is v2 only, v1 works ok.
** Affects: glance
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1502136
Title:
Everything returns 403 if show_multiple_locations is true and
get_image_location policy is set
Status in Glance:
New
Bug description:
If, in glance-api.conf you set:
show_multiple_locations = true
Things work as expected:
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | 9cb02fe7fcac26f8a25d6db3109063ae |
| container_format | bare |
| created_at | 2015-10-02T12:43:33Z |
| disk_format | raw |
| id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 |
| locations | [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", |
| | "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good-image |
| owner | 88cffb9c8aee457788066c97b359585b |
| protected | False |
| size | 145 |
| status | active |
| tags | [] |
| updated_at | 2015-10-02T12:43:34Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
but if you then set the get_image_location policy to role:admin, most
calls return 403:
$ glance --os-image-api-version 2 image-list
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
etc.
As https://review.openstack.org/#/c/48401/ says:
1. A user should be able to list/show/update/download image without
needing permission on get_image_location.
2. A policy failure should result in a 403 return code. We're
getting a 500
This is v2 only, v1 works ok.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1502136/+subscriptions
Follow ups
