yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #70737
[Bug 1736332] Re: Image verification returns 500 if invalid 'img_signature_certificate_uuid' is specified
Looks like there's nothing for Glance to do on this. Thanks for doing
the research to track down the fix, Abhishek.
** Changed in: glance
Status: New => Triaged
** Changed in: glance
Importance: Undecided => Medium
** Changed in: glance
Status: Triaged => Fix Released
** Changed in: glance
Milestone: None => queens-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1736332
Title:
Image verification returns 500 if invalid
'img_signature_certificate_uuid' is specified
Status in Glance:
Fix Released
Bug description:
If image signature verification is enabled then while creating the
image if invalid (non-existing) 'img_signature_certificate_uuid' is
specified then image creation fails and returns 500 internal server
error to the user. The reason is it returns
'ManagedObjectNotFoundError: Key not found, uuid: <non-existing-uuid>'
which is not caught.
Ideally it should return HTTP 400 bad request to the user.
Pre-requisites:
1. Ensure Barbican is enabled
2. Create Keys and Certificate (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#90)
3. Create Signature (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#184) and note down output of 'signature_64'
4. Create context and upload certificate using context (Reference https://etherpad.openstack.org/p/glance-image-signing-create-context) and note down output of 'cert_uuid'
Steps to reproduce:
1. Upload Image to Glance, with Signature Metadata
img_signature_certificate_uuid = 'fb67edd2-95ef-404b-9af2-910708c6d9b7' (different than noted in Pre-requisites section Point 4)
img_signature_hash_method = 'SHA-256'
img_signature_key_type = 'RSA-PSS'
img_signature = 'ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM=' (Same which is noted in Pre-requisites section Point 4 as 'signature_64')
$ glance image-create --property
name=cirrosSignedImage_goodSignature --property is-public=true
--container-format bare --disk-format qcow2 --property
img_signature='ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM='
--property img_signature_certificate_uuid='fb67edd2-95ef-404b-
9af2-910708c6d9b7' --property img_signature_hash_method='SHA-256'
--property img_signature_key_type='RSA-PSS' --file
cirros-0.3.2-source.tar.gz
Actual Output:
$ 500 Internal Server Error: The server has either erred or is incapable of performing the requested operation. (HTTP 500)
Expected Output:
$ 400 HTTP Bad Request: Secret incorrectly specified. (HTTP 400)
NOTE: Image remains in queued status forever.
+--------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+--------------------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-12-05T06:25:51Z |
| disk_format | qcow2 |
| id | c78598f5-23ac-46e8-8626-c908b5b830df |
| img_signature | ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4H |
| | BKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYb |
| | bsqW6d/obgM= |
| img_signature_certificate_uuid | fb67edd2-95ef-404b-9af2-910708c6d9b9 |
| img_signature_hash_method | SHA-256 |
| img_signature_key_type | RSA-PSS |
| is-public | true |
| min_disk | 0 |
| min_ram | 0 |
| name | cirrosSignedImage_goodSignature |
| owner | 4f186fe25c934eeb95186fd0c5afda49 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-12-05T06:25:51Z |
| virtual_size | None |
| visibility | shared |
+--------------------------------+----------------------------------------------------------------------------------+
Glance-api logs:
ec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR barbicanclient.client [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] 4xx Client error: Not Found: Not Found. Sorry but your secret is in another castle.
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR castellan.key_manager.barbican_key_manager [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Error retrieving object: Not Found: Not Found. Sorry but your secret is in another castle.: HTTPClientError: Not Found: Not Found. Sorry but your secret is in another castle.
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.api.v2.image_data [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Failed to upload image data due to internal error: ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Caught error: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9: ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi Traceback (most recent call last):
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1222, in __call__
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi request, **action_args)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1261, in dispatch
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi return method(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/utils.py", line 363, in wrapped
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi return func(self, req, *args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 269, in upload
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi self._restore(image_repo, image)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 134, in upload
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi image.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/domain/proxy.py", line 195, in set_data
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi self.base.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 480, in set_data
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi _send_notification(notify_error, 'image.upload', msg)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 427, in set_data
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi self.repo.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/policy.py", line 194, in set_data
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi return self.image.set_data(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/quota/__init__.py", line 304, in set_data
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi self.image.set_data(data, size=size)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/location.py", line 427, in set_data
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi img_signature_key_type=key_type
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 232, in get_verifier
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi signature_key_type)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 287, in get_public_key
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi certificate = get_certificate(context, signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 316, in get_certificate
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi cert = keymgr_api.get(context, signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/castellan/key_manager/barbican_key_manager.py", line 564, in get
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi uuid=managed_object_id)
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: ERROR glance.common.wsgi
Dec 05 06:25:51 signature-test.rdocloud devstack@g-api.service[25628]: [pid: 25630|app: 0|req: 108/214] 127.0.0.1 () {40 vars in 692 bytes} [Tue Dec 5 06:25:51 2017] PUT /v2/images/c78598f5-23ac-46e8-8626-c908b5b830df/file => generated 228 bytes in 163 msecs (HTTP/1.1 500) 4 headers in 184 bytes (1 switches on core 0)
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1736332/+subscriptions
References
