Glance

500 server error when admin tries to access private image uuid

Bug #1172719 reported by Stuart McLaren
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Undecided
Stuart McLaren
Glance 2013.2 "havana"

Bug Description

This shows up in a couple different ways:

$ curl -v -k -H 'x-auth-token: XXX' -X PUT -H 'x-glance-registry-purge-props: false' -H 'x-image-meta-property-foo: bar' https://localhost:9191/images/719bb85c-c8df-4fae-ba2a-f2bd5271c4f3
* About to connect() to localhost port 9191 (#0)
* Trying 127.0.0.1... connected
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
> PUT /images/719bb85c-c8df-4fae-ba2a-f2bd5271c4f3 HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: localhost:9191
> Accept: */*
> x-auth-token: XXX
> x-glance-registry-purge-props: false
> x-image-meta-property-foo: bar
>
< HTTP/1.1 500 Internal Server Error
< Content-Type: text/plain
< Content-Length: 0
< Date: Thu, 25 Apr 2013 10:05:27 GMT
< Connection: close
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

 curl -v -H 'X-Auth-Token: XXX' -k https://localhost:9292/v1/images?marker=932c5833-b7a4-4a90-847b-914ce611099b
* About to connect() to localhost port 9292 (#0)
* Trying 15.184.9.33... connected
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:

> GET /v1/images?marker=932c5833-b7a4-4a90-847b-914ce611099b HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: localhost:9292
> Accept: */*
> X-Auth-Token: XXX
>
< HTTP/1.1 500 Internal Server Error
< Content-Type: text/plain
< Content-Length: 0
< Date: Thu, 25 Apr 2013 11:07:15 GMT
< Connection: close
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Working on a patch...

Changed in glance:
assignee: nobody → Stuart McLaren (stuart-mclaren)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/27491

Changed in glance:
status: New → In Progress
Revision history for this message
Mark Washenberger (markwash) wrote :

I"m confused, shouldn't an admin be able to see such images?

Revision history for this message
Mark Washenberger (markwash) wrote :

Nevermind, I get it now. Any chance you have a server-side stack trace for this 500 that you could paste here?

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote : Re: [Bug 1172719] Re: 500 server error when admin tries to access private image uuid
Download full text (9.2 KiB)

Hi Mark,

Gotta run to pick up somebody -- here's a stack. Can you just check there's no HP creds in it before pasting anywhere?
Thanks!

Apr 25 09:05:32 gl-aw1rde1-api0000 16978 DEBUG eventlet.wsgi.server [00ba261a-91a6-43d3-bddb-6602cec833b4 77049353665607 34096082065107] Traceback (most recent call last):
012 File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in handle_one_response
012 result = self.application(self.environ, start_response)
012 File "/usr/lib/python2.7/dist-packages/hp_glance_extras/middleware/healthcheck.py", line 38, in __call__
012 return self.app(env, start_response)
012 File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
012 resp = self.call_func(req, *args, **self.kwargs)
012 File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
012 return self.func(req, *args, **kwargs)
012 File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 345, in __call__
012 response = req.get_response(self.application)
012 File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in get_response
012 application, catch_exc_info=False)
012 File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in call_application
012 app_iter = application(self.environ, start_response)
012 File "/usr/lib/python2.7/dist-packages/hp/middleware/cs_auth_token.py", line 160, in __call__
012 return super(CsAuthProtocol, self).__call__(env, start_response)
012 File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 451, in __call__
012 return self.app(env, start_response)
012 File "/usr/lib/python2.7/dist-packages/hp/middleware/cs_authz.py", line 30, in __call__
012 return self.app(env, start_response)
012 File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
012 resp = self.call_func(req, *args, **self.kwargs)
012 File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
012 return self.func(req, *args, **kwargs)
012 File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 345, in __call__
012 response = req.get_response(self.application)
012 File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in get_response
012 application, catch_exc_info=False)
012 File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in call_application
012 app_iter = application(self.environ, start_response)
012 File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in __call__
012 resp = self.call_func(req, *args, **self.kwargs)
012 File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in call_func
012 return self.func(req, *args, **kwargs)
012 File "/usr/lib/python2.7/dist-packages/glance/common/wsgi.py", line 345, in __call__
012 response = req.get_response(self.application)
012 File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in get_response
012 application, catch_exc_info=False)
012 File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in call_application
012 app_iter = application(self.environ, start_response)
012 File "/usr/lib/python2.7/dist-...

Read more...

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :
Download full text (19.3 KiB)

Just recording here that a regular user who attempts to use a marker id of an admin image also sees a 500:

> GET /v1//images/detail?marker=c48d99b5-9f0b-4c99-b4e4-daf089f04a78 HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: localhost:9292
> Accept: */*
> x-auth-token: MIIM8AYJKoZIhvcNAQcCoIIM4TCCDN0CAQExCTAHBgUrDgMCGjCCC8kGCSqGSIb3DQEHAaCCC7oEggu2eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wNC0yNlQxMTo0MjozNS4zMTAzMDMiLCAiZXhwaXJlcyI6ICIyMDEzLTA0LTI3VDExOjQyOjM1WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogbnVsbCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiOWI0YzkwNTA0Y2E5NDEwMTk0YzRlOTM0NGNkNzBkMmMiLCAibmFtZSI6ICJkZW1vIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuNy40OS4yNTE6ODc3NC92Mi85YjRjOTA1MDRjYTk0MTAxOTRjNGU5MzQ0Y2Q3MGQyYyIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4Nzc0L3YyLzliNGM5MDUwNGNhOTQxMDE5NGM0ZTkzNDRjZDcwZDJjIiwgImlkIjogIjJiN2QwMjMxNmYzZDQ3NWZhNzZiYjM5YzZjNmU0ZDYzIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTAuNy40OS4yNTE6ODc3NC92Mi85YjRjOTA1MDRjYTk0MTAxOTRjNGU5MzQ0Y2Q3MGQyYyJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAibm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4MDgwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjcuNDkuMjUxOjgwODAiLCAiaWQiOiAiMTA4Mjk3NzViYjgwNDkzNzk1OTkyMzk1NzA1ZWM1NWUiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4MDgwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInMzIiwgIm5hbWUiOiAiczMifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuNy40OS4yNTE6OTI5MiIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo5MjkyIiwgImlkIjogIjUyMmQ0YzdhMzFlNTQyZGI4NTlkNjAzOGU5ZDk3MWRiIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTAuNy40OS4yNTE6OTI5MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4Nzc3LyIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4Nzc3LyIsICJpZCI6ICIzMzllOWRkYWFmYTM0OGExOGIwNDUxYzgxZDdlM2U2NSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzEwLjcuNDkuMjUxOjg3NzcvIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm1ldGVyaW5nIiwgIm5hbWUiOiAiY2VpbG9tZXRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4Nzc2L3YxLzliNGM5MDUwNGNhOTQxMDE5NGM0ZTkzNDRjZDcwZDJjIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjcuNDkuMjUxOjg3NzYvdjEvOWI0YzkwNTA0Y2E5NDEwMTk0YzRlOTM0NGNkNzBkMmMiLCAiaWQiOiAiMzVhZmYxZDZjMTExNDZkMjg2MTllN2EwOTU2NmJlNmEiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4Nzc2L3YxLzliNGM5MDUwNGNhOTQxMDE5NGM0ZTkzNDRjZDcwZDJjIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4NzczL3NlcnZpY2VzL0FkbWluIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjcuNDkuMjUxOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMjNhMzgzNDM1YjNjNDNiOGFhNTA2ZTQ4ODNiMDgwMzIiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC43LjQ5LjI1MTo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW...

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/27491
Committed: http://github.com/openstack/glance/commit/8d23994688c59d78757873480b9213d19d85a34b
Submitter: Jenkins
Branch: master

commit 8d23994688c59d78757873480b9213d19d85a34b
Author: Stuart McLaren <email address hidden>
Date: Thu Apr 25 14:02:53 2013 +0000

    Prevent '500' error when admin uses private marker

    A 500 error was being raised when an admin tried to use the
    id of a private image owned by another user as a marker.

    Do not return 500 in these cases.

    Also added appropriate test coverage.

    Fixes bug 1172719.

    Change-Id: If77d45c684dd7d4dda9eefd519fc3d36fc57e07a

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
milestone: none → havana-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.