← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1502136] Re: Everything returns 403 if show_multiple_locations is true and get_image_location policy is set

 

** Also affects: glance (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: glance (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1502136

Title:
  Everything returns 403 if show_multiple_locations is true and
  get_image_location policy is set

Status in Glance:
  Fix Released
Status in glance package in Ubuntu:
  Fix Released
Status in glance source package in Trusty:
  In Progress
Status in glance source package in Xenial:
  Fix Released

Bug description:
  If, in glance-api.conf you set:

   show_multiple_locations = true

  Things work as expected:

   $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
   +------------------+----------------------------------------------------------------------------------+
   | Property         | Value                                                                            |
   +------------------+----------------------------------------------------------------------------------+
   | checksum         | 9cb02fe7fcac26f8a25d6db3109063ae                                                 |
   | container_format | bare                                                                             |
   | created_at       | 2015-10-02T12:43:33Z                                                             |
   | disk_format      | raw                                                                              |
   | id               | 13ae74f0-74bf-4792-a8bb-7c622abc5410                                             |
   | locations        | [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410",      |
   |                  | "metadata": {}}]                                                                 |
   | min_disk         | 0                                                                                |
   | min_ram          | 0                                                                                |
   | name             | good-image                                                                       |
   | owner            | 88cffb9c8aee457788066c97b359585b                                                 |
   | protected        | False                                                                            |
   | size             | 145                                                                              |
   | status           | active                                                                           |
   | tags             | []                                                                               |
   | updated_at       | 2015-10-02T12:43:34Z                                                             |
   | virtual_size     | None                                                                             |
   | visibility       | private                                                                          |
   +------------------+----------------------------------------------------------------------------------+

  but if you then set the get_image_location policy to role:admin, most
  calls return 403:

   $ glance --os-image-api-version 2 image-list
   403 Forbidden: You are not authorized to complete this action. (HTTP 403)

   $ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
   403 Forbidden: You are not authorized to complete this action. (HTTP 403)

   $ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410
   403 Forbidden: You are not authorized to complete this action. (HTTP 403)

  etc.

  As https://review.openstack.org/#/c/48401/ says:

   1. A user should be able to list/show/update/download image without
   needing permission on get_image_location.
   2. A policy failure should result in a 403 return code. We're
   getting a 500

  This is v2 only, v1 works ok.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1502136/+subscriptions


References