← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1720354] [NEW] Glance doesn't send correctly authorization request to Oslo policy

 

Public bug reported:

We have an OpenStack/Mitaka installed with Keystone, Nova and Glance.
In /etc/glance/policy.json, we have modified the following lines to test the http_check function of Oslo policy:

    ...
    "add_image": "http://moon:8081/authz/wrapper";,
    "delete_image": "http://moon:8081/authz/wrapper";,
    "get_image": "http://moon:8081/authz/wrapper";,
    "get_images": "http://moon:8081/authz/wrapper";,
    "modify_image": "http://moon:8081/authz/wrapper";,
    ...
Then, when we run:
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| 6e31cdd2-4968-4a80-aebc-fcdd6f213091 | cirros | active |
+--------------------------------------+--------+--------+
with no problem, but if we run:
$ openstack image create --disk-format qcow2 --file /vagrant/cirros-0.3.5-x86_64-disk.img --container-format bare cirros4

400 Bad Request
cannot deepcopy this pattern object
    (HTTP 400)

The Oslo_Policy code doesn't raise an error but stop when trying to deepcopying the target variable in oslo.policy/oslo.policy/oslo_policy/_checks.py (line ~241) and we have the following event in Glance API logs:
2017-09-25 12:48:16.044 16600 DEBUG oslo_policy._cache_handler [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloading cached file /etc/glance/policy.json read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:40
2017-09-25 12:48:16.047 16600 DEBUG oslo_policy.policy [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloaded policy file: /etc/glance/policy.json _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:682
2017-09-25 12:48:16.075 16600 DEBUG glance.api.v2.images [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] cannot deepcopy this pattern object create /usr/lib/python2.7/dist-packages/glance/api/v2/images.py:85
2017-09-25 12:48:16.084 16600 INFO eventlet.wsgi.server [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] 127.0.0.1 - - [25/Sep/2017 12:48:16] "POST /v2/images HTTP/1.1" 400 273 0.053245

An other problem is that we have not enough information in the target
variable (in oslo.policy/oslo.policy/oslo_policy/_checks.py). Because
most of the information have the 'object' type, they are deleted from
the temp_target variable (line ~244).

We believe that this is due to the Glance part since it doesn't well
prepare the authorization request (body) to Oslo policy.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1720354

Title:
  Glance doesn't send correctly authorization request to Oslo policy

Status in Glance:
  New

Bug description:
  We have an OpenStack/Mitaka installed with Keystone, Nova and Glance.
  In /etc/glance/policy.json, we have modified the following lines to test the http_check function of Oslo policy:

      ...
      "add_image": "http://moon:8081/authz/wrapper";,
      "delete_image": "http://moon:8081/authz/wrapper";,
      "get_image": "http://moon:8081/authz/wrapper";,
      "get_images": "http://moon:8081/authz/wrapper";,
      "modify_image": "http://moon:8081/authz/wrapper";,
      ...
  Then, when we run:
  $ openstack image list
  +--------------------------------------+--------+--------+
  | ID                                   | Name   | Status |
  +--------------------------------------+--------+--------+
  | 6e31cdd2-4968-4a80-aebc-fcdd6f213091 | cirros | active |
  +--------------------------------------+--------+--------+
  with no problem, but if we run:
  $ openstack image create --disk-format qcow2 --file /vagrant/cirros-0.3.5-x86_64-disk.img --container-format bare cirros4

  400 Bad Request
  cannot deepcopy this pattern object
      (HTTP 400)

  The Oslo_Policy code doesn't raise an error but stop when trying to deepcopying the target variable in oslo.policy/oslo.policy/oslo_policy/_checks.py (line ~241) and we have the following event in Glance API logs:
  2017-09-25 12:48:16.044 16600 DEBUG oslo_policy._cache_handler [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloading cached file /etc/glance/policy.json read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:40
  2017-09-25 12:48:16.047 16600 DEBUG oslo_policy.policy [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloaded policy file: /etc/glance/policy.json _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:682
  2017-09-25 12:48:16.075 16600 DEBUG glance.api.v2.images [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] cannot deepcopy this pattern object create /usr/lib/python2.7/dist-packages/glance/api/v2/images.py:85
  2017-09-25 12:48:16.084 16600 INFO eventlet.wsgi.server [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] 127.0.0.1 - - [25/Sep/2017 12:48:16] "POST /v2/images HTTP/1.1" 400 273 0.053245

  An other problem is that we have not enough information in the target
  variable (in oslo.policy/oslo.policy/oslo_policy/_checks.py). Because
  most of the information have the 'object' type, they are deleted from
  the temp_target variable (line ~244).

  We believe that this is due to the Glance part since it doesn't well
  prepare the authorization request (body) to Oslo policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1720354/+subscriptions


Follow ups