yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #69897
[Bug 1720354] Re: Glance doesn't send correctly authorization request to Oslo policy
Reviewed: https://review.openstack.org/510569
Committed: https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=8710f6338d0596ebc7c0d8a69675d9333631504b
Submitter: Zuul
Branch: master
commit 8710f6338d0596ebc7c0d8a69675d9333631504b
Author: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
Date: Mon Oct 9 09:31:08 2017 -0400
expand type documentation for Enforcer arguments
As part of bug #1720354 we discovered that arguments being passed to
the enforcer were not always dictionaries and did not always support
the full API needed. Expand the documentation to make the requirements
clearer.
Change-Id: I6c940d825cf72777e2a7946ab7489a1ed5359235
Closes-Bug: #1720354
Signed-off-by: Doug Hellmann <doug@xxxxxxxxxxxxxxxx>
** Changed in: oslo.policy
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1720354
Title:
Glance doesn't send correctly authorization request to Oslo policy
Status in Glance:
Fix Released
Status in oslo.policy:
Fix Released
Bug description:
We have an OpenStack/Mitaka installed with Keystone, Nova and Glance.
In /etc/glance/policy.json, we have modified the following lines to test the http_check function of Oslo policy:
...
"add_image": "http://moon:8081/authz/wrapper";,
"delete_image": "http://moon:8081/authz/wrapper";,
"get_image": "http://moon:8081/authz/wrapper";,
"get_images": "http://moon:8081/authz/wrapper";,
"modify_image": "http://moon:8081/authz/wrapper";,
...
Then, when we run:
$ openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 6e31cdd2-4968-4a80-aebc-fcdd6f213091 | cirros | active |
+--------------------------------------+--------+--------+
with no problem, but if we run:
$ openstack image create --disk-format qcow2 --file /vagrant/cirros-0.3.5-x86_64-disk.img --container-format bare cirros4
400 Bad Request
cannot deepcopy this pattern object
(HTTP 400)
The Oslo_Policy code doesn't raise an error but stop when trying to deepcopying the target variable in oslo.policy/oslo.policy/oslo_policy/_checks.py (line ~241) and we have the following event in Glance API logs:
2017-09-25 12:48:16.044 16600 DEBUG oslo_policy._cache_handler [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloading cached file /etc/glance/policy.json read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:40
2017-09-25 12:48:16.047 16600 DEBUG oslo_policy.policy [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] Reloaded policy file: /etc/glance/policy.json _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:682
2017-09-25 12:48:16.075 16600 DEBUG glance.api.v2.images [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] cannot deepcopy this pattern object create /usr/lib/python2.7/dist-packages/glance/api/v2/images.py:85
2017-09-25 12:48:16.084 16600 INFO eventlet.wsgi.server [req-e98eef44-d01b-401f-8e69-c78adf5310d3 - - - - -] 127.0.0.1 - - [25/Sep/2017 12:48:16] "POST /v2/images HTTP/1.1" 400 273 0.053245
An other problem is that we have not enough information in the target
variable (in oslo.policy/oslo.policy/oslo_policy/_checks.py). Because
most of the information have the 'object' type, they are deleted from
the temp_target variable (line ~244).
We believe that this is due to the Glance part since it doesn't well
prepare the authorization request (body) to Oslo policy.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1720354/+subscriptions
References
