yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #69084
[Bug 1720354] Re: Glance doesn't send correctly authorization request to Oslo policy
Reviewed: https://review.openstack.org/512020
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=3134ee07b2ab25f63183c699df163b5f8dfd0918
Submitter: Zuul
Branch: master
commit 3134ee07b2ab25f63183c699df163b5f8dfd0918
Author: Cyril Roelandt <cyril@xxxxxxxxxx>
Date: Fri Oct 13 23:22:16 2017 +0200
Make ImageTarget behave like a dictionary
This is required because oslo_policy's 'enforce' method expects a dict-like
object as its second argument.
Change-Id: I9187b6805d3b2cd351189e34dd2f9db3158f6b8d
Closes-Bug: #1720354
** Changed in: glance
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1720354
Title:
Glance doesn't send correctly authorization request to Oslo policy
Status in Glance:
Fix Released
Status in oslo.policy:
In Progress
Bug description:
We have an OpenStack/Mitaka installed with Keystone, Nova and Glance.
In /etc/glance/policy.json, we have modified the following lines to test the http_check function of Oslo policy:
...
"add_image": "http://moon:8081/authz/wrapper";,
"delete_image": "http://moon:8081/authz/wrapper";,
"get_image": "http://moon:8081/authz/wrapper";,
"get_images": "http://moon:8081/authz/wrapper";,
"modify_image": "http://moon:8081/authz/wrapper";,
...
Then, when we run:
$ openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 6e31cdd2-4968-4a80-aebc-fcdd6f213091 | cirros | active |
+--------------------------------------+--------+--------+
with no problem, but if we run:
$ openstack image create --disk-format qcow2 --file /vagrant/cirros-0.3.5-x86_64-disk.img --container-format bare cirros4
400 Bad Request
cannot deepcopy this pattern object
(HTTP 400)
The Oslo_Policy code doesn't raise an error but stop when trying to deepcopying the target variable in oslo.policy/oslo.policy/oslo_policy/_checks.py (line ~241) and we have the following event in Glance API logs:
2017-09-25 12:48:16.044 16600 DEBUG oslo_policy._cache_handler [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloading cached file /etc/glance/policy.json read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:40
2017-09-25 12:48:16.047 16600 DEBUG oslo_policy.policy [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloaded policy file: /etc/glance/policy.json _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:682
2017-09-25 12:48:16.075 16600 DEBUG glance.api.v2.images [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] cannot deepcopy this pattern object create /usr/lib/python2.7/dist-packages/glance/api/v2/images.py:85
2017-09-25 12:48:16.084 16600 INFO eventlet.wsgi.server [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] 127.0.0.1 - - [25/Sep/2017 12:48:16] "POST /v2/images HTTP/1.1" 400 273 0.053245
An other problem is that we have not enough information in the target
variable (in oslo.policy/oslo.policy/oslo_policy/_checks.py). Because
most of the information have the 'object' type, they are deleted from
the temp_target variable (line ~244).
We believe that this is due to the Glance part since it doesn't well
prepare the authorization request (body) to Oslo policy.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1720354/+subscriptions
References
