yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #69158
[Bug 1732141] [NEW] 'upload-image' policy blocks the image-import API
Public bug reported:
There are two methods to create images:-
Method A)
POST /v2/images
PUT /v2/images/{image_id}/file
Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
Glance community has long term plan to restrict Method A for normal user
to create the image.
The traditional image upload API (PUT /v2/images/{image_id}/file) uses
'upload-image' policy which is same for Method B (POST
/v2/images/{image_id}/import) image-create-via-import(new API for image
create) API.
If glance community restricts traditional Method A (image upload) for
normal user then it will also impact Method B (POST
/v2/images/{image_id}/import) image-import call thus normal user won't
be able to import image using image-create-via-import(new API for image
create).
The 'upload-image' and 'import image' shares same policy.
Steps to reproduce:
Case 1: Restrict the normal user to upload-image
1. Modify the /etc/glance/policy.json
"upload_image": "role:demo",
2. Create the image
$ glance image-create --name test --property test=tyest --file
spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:02:41Z |
| disk_format | qcow2 |
| id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| test | tyest |
| updated_at | 2017-11-13T07:02:41Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
b219-18a2743b82b6: You are not authorized to complete upload_image action.
(HTTP 403)
Case 2: Now normal user wants to create the image using image-create-
via-import api but it will not allow to import the image as the policy
is set in the first case.
$ glance image-create-via-import --name test --file
spec_and_blueprint_content.txt --container-format bare --disk-format raw --
property os_distro=xyz
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:23:25Z |
| disk_format | raw |
| id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| os_distro | xyz |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-11-13T07:23:25Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
403)
So to overcome this we will need to add the separate policy for import
image in policy.json
** Affects: glance
Importance: Undecided
Assignee: Bhagyashri Shewale (bhagyashri-shewale)
Status: New
** Changed in: glance
Assignee: (unassigned) => Bhagyashri Shewale (bhagyashri-shewale)
** Description changed:
There are two methods to create images:-
- Method A)
+ Method A)
POST /v2/images
PUT /v2/images/{image_id}/file
- Method B)
+ Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
Glance community has long term plan to restrict Method A for normal user
to create the image.
The traditional image upload API (PUT /v2/images/{image_id}/file) uses
'upload-image' policy which is same for Method B (POST
/v2/images/{image_id}/import) image-create-via-import(new API for image
create) API.
- If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create).
-
+ If glance community restricts traditional Method A (image upload) for
+ normal user then it will also impact Method B (POST
+ /v2/images/{image_id}/import) image-import call thus normal user won't
+ be able to import image using image-create-via-import(new API for image
+ create).
+
The 'upload-image' and 'import image' shares same policy.
Steps to reproduce:
Case 1: Restrict the normal user to upload-image
1. Modify the /etc/glance/policy.json
- "upload_image": "role:demo",
+ "upload_image": "role:demo",
2. Create the image
- $ glance image-create --name test --property test=tyest --file spec_and_blueprint_content.txt --
- container-format bare --disk-format qcow2
- +------------------+--------------------------------------+
- | Property | Value |
- +------------------+--------------------------------------+
- | checksum | None |
- | container_format | bare |
- | created_at | 2017-11-13T07:02:41Z |
- | disk_format | qcow2 |
- | id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
- | min_disk | 0 |
- | min_ram | 0 |
- | name | test |
- | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
- | protected | False |
- | size | None |
- | status | queued |
- | tags | [] |
- | test | tyest |
- | updated_at | 2017-11-13T07:02:41Z |
- | virtual_size | None |
- | visibility | shared |
- +------------------+--------------------------------------+
- 403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-b219-
- 18a2743b82b6: You are not authorized to complete upload_image action. (HTTP 403)
+ $ glance image-create --name test --property test=tyest --file
+ spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2
+ +------------------+--------------------------------------+
+ | Property | Value |
+ +------------------+--------------------------------------+
+ | checksum | None |
+ | container_format | bare |
+ | created_at | 2017-11-13T07:02:41Z |
+ | disk_format | qcow2 |
+ | id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
+ | min_disk | 0 |
+ | min_ram | 0 |
+ | name | test |
+ | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
+ | protected | False |
+ | size | None |
+ | status | queued |
+ | tags | [] |
+ | test | tyest |
+ | updated_at | 2017-11-13T07:02:41Z |
+ | virtual_size | None |
+ | visibility | shared |
+ +------------------+--------------------------------------+
+ 403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
+ b219-18a2743b82b6: You are not authorized to complete upload_image action.
+ (HTTP 403)
Case 2: Now normal user wants to create the image using image-create-
via-import api but it will not allow to import the image as the policy
is set in the first case.
- $ glance image-create-via-import --name test --file spec_and_blueprint_content.txt --container-format
- bare --disk-format raw --property os_distro=xyz
- +------------------+--------------------------------------+
- | Property | Value |
- +------------------+--------------------------------------+
- | checksum | None |
- | container_format | bare |
- | created_at | 2017-11-13T07:23:25Z |
- | disk_format | raw |
- | id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
- | min_disk | 0 |
- | min_ram | 0 |
- | name | test |
- | os_distro | xyz |
- | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
- | protected | False |
- | size | None |
- | status | queued |
- | tags | [] |
- | updated_at | 2017-11-13T07:23:25Z |
- | virtual_size | None |
- | visibility | shared |
- +------------------+--------------------------------------+
- 403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-b75c
- 2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP 403)
+ $ glance image-create-via-import --name test --file
+ spec_and_blueprint_content.txt --container-format bare --disk-format raw --
+ property os_distro=xyz
+ +------------------+--------------------------------------+
+ | Property | Value |
+ +------------------+--------------------------------------+
+ | checksum | None |
+ | container_format | bare |
+ | created_at | 2017-11-13T07:23:25Z |
+ | disk_format | raw |
+ | id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
+ | min_disk | 0 |
+ | min_ram | 0 |
+ | name | test |
+ | os_distro | xyz |
+ | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
+ | protected | False |
+ | size | None |
+ | status | queued |
+ | tags | [] |
+ | updated_at | 2017-11-13T07:23:25Z |
+ | virtual_size | None |
+ | visibility | shared |
+ +------------------+--------------------------------------+
+ 403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
+ b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
+ 403)
So to overcome this we will need to add the separate policy for import
image in policy.json
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1732141
Title:
'upload-image' policy blocks the image-import API
Status in Glance:
New
Bug description:
There are two methods to create images:-
Method A)
POST /v2/images
PUT /v2/images/{image_id}/file
Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
Glance community has long term plan to restrict Method A for normal
user to create the image.
The traditional image upload API (PUT /v2/images/{image_id}/file) uses
'upload-image' policy which is same for Method B (POST
/v2/images/{image_id}/import) image-create-via-import(new API for
image create) API.
If glance community restricts traditional Method A (image upload) for
normal user then it will also impact Method B (POST
/v2/images/{image_id}/import) image-import call thus normal user won't
be able to import image using image-create-via-import(new API for
image create).
The 'upload-image' and 'import image' shares same policy.
Steps to reproduce:
Case 1: Restrict the normal user to upload-image
1. Modify the /etc/glance/policy.json
"upload_image": "role:demo",
2. Create the image
$ glance image-create --name test --property test=tyest --file
spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:02:41Z |
| disk_format | qcow2 |
| id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| test | tyest |
| updated_at | 2017-11-13T07:02:41Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
b219-18a2743b82b6: You are not authorized to complete upload_image action.
(HTTP 403)
Case 2: Now normal user wants to create the image using image-create-
via-import api but it will not allow to import the image as the policy
is set in the first case.
$ glance image-create-via-import --name test --file
spec_and_blueprint_content.txt --container-format bare --disk-format raw --
property os_distro=xyz
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:23:25Z |
| disk_format | raw |
| id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| os_distro | xyz |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-11-13T07:23:25Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
403)
So to overcome this we will need to add the separate policy for import
image in policy.json
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1732141/+subscriptions
Follow ups
