Glance

Forbidden 403 error while get public image from multitenant swift storage where object is chunked (larger than 5GB)

Bug #1170156 reported by Malyshev Alex on 2013-04-17

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Flavio Percoco	Glance 2013.2 "havana"
	Grizzly	Fix Released	High	Flavio Percoco	Glance 2013.1.2

Bug Description

How to reproduce:
1. Use multitenant swift store for glance.
2. Create a public image larger than 5GB.
3. Launch instance with this image from another tenant.

How to fix:
For chunked object not enough just ".r:*" acl permission for public image, we must also set ".rlistings" permission on container.

Simple, in glance/store/swift.py (class MultiTenantStore, def set_acls),
if public:
headers['X-Container-Read'] = ".r:*,.rlistings"
(may be, something this we must add for read_tenants acls)

Mark Washenberger (markwash) on 2013-04-20

Changed in glance:
importance:	Undecided → High

Revision history for this message

Iccha Sethi (iccha-sethi) wrote on 2013-04-21:

Hey Malyshev,

I was wondering if the container contained other images apart from that public image, would .rlisting allow the user to be able to list those other images as well?

Revision history for this message

Malyshev Alex (malyshevalex) wrote on 2013-04-22:

Of course, if .rlisting allowed, user may list all of objects in container.
However, by default, glance creates separate container for each image in multitenant mode.

Revision history for this message

Iccha Sethi (iccha-sethi) wrote on 2013-04-22:

Malyshev, thanks for clarifying my question. Is it a config value which determines separate containers for each image in multitenant or the code? Asking because if it is config, then different deployments may have it set differently. I am just trying to understand if this would have any alternative consequences here.

Revision history for this message

Malyshev Alex (malyshevalex) wrote on 2013-04-22:

It's a code. You may see it in glance/store/swift.py (class MultiTenantStore, def create_location):
    def create_location(self, image_id):
        specs = {'scheme': self.scheme,
                 'container': self.container + '_' + str(image_id),
                 'obj': str(image_id),
                 'auth_or_store_url': self.storage_url}
        return StoreLocation(specs)

Since image_id is unique, then each image is created a separate container.

Revision history for this message

Iccha Sethi (iccha-sethi) wrote on 2013-04-22:

Thanks for clarifying, it all makes sense now.

Revision history for this message

Flavio Percoco (flaper87) wrote on 2013-04-24:

Malyshev, Would you like to submit a patch for this?

Thanks for the report!

Flavio Percoco (flaper87) on 2013-04-26

Changed in glance:
assignee:	nobody → Flavio Percoco Premoli (flaper87)
milestone:	none → havana-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-04-27: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/27619

Changed in glance:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-04-30: Fix merged to glance (master)

Reviewed: https://review.openstack.org/27619
Committed: http://github.com/openstack/glance/commit/2d492e04be9e386e402ddde248d9a55c8d04a2bb
Submitter: Jenkins
Branch: master

commit 2d492e04be9e386e402ddde248d9a55c8d04a2bb
Author: Flaper Fesp <email address hidden>
Date: Sat Apr 27 12:37:13 2013 +0200

Don't raise HTTPForbidden on a multitenant environment

When getting public images in a multi-tenant environment, Swift raises
HTTPForbidden for chuncked images.

Based on swift documentation, rlistings directive turns listings on,
which is the desired behavior in this case.

Fixes bug 1170156

Change-Id: I149f702d5b3ebae73b04deed4809939ab43c6adc

Changed in glance:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-06: Fix proposed to glance (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/28275

Thierry Carrez (ttx) on 2013-05-29

Changed in glance:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-30: Fix merged to glance (stable/grizzly)

#10

Reviewed: https://review.openstack.org/28275
Committed: http://github.com/openstack/glance/commit/0c98014fd7cbfbb9ef4b6e8b5ae43b3dc7541d29
Submitter: Jenkins
Branch: stable/grizzly

commit 0c98014fd7cbfbb9ef4b6e8b5ae43b3dc7541d29
Author: Flaper Fesp <email address hidden>
Date: Sat Apr 27 12:37:13 2013 +0200

Don't raise HTTPForbidden on a multitenant environment

When getting public images in a multi-tenant environment, Swift raises
HTTPForbidden for chuncked images.

Based on swift documentation, rlistings directive turns listings on,
which is the desired behavior in this case.

Fixes bug 1170156

NOTE: Swift guys where consulted about this fix.

Change-Id: I149f702d5b3ebae73b04deed4809939ab43c6adc
Cherry-picked: 2d492e04be9e386e402ddde248d9a55c8d04a2bb

Thierry Carrez (ttx) on 2013-10-17

Changed in glance:
milestone:	havana-1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.