Glance

Glance GET /v2/images fails with 500 due to erroneous policy check

Bug #1231255 reported by Feilong Wang on 2013-09-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Feilong Wang	Glance 2013.2 "havana"

Bug Description

A user with 'viewer' authority per the following policy receives a 500 error when calling glance v2/images.
The user is successfully able to get a list of images and details when calling /v1/images/detail.

Policy:
{
    "admin_only": "role:admin",
    "admin_or_deployer": "role:admin or role:deployer",
    "admin_or_deployer_or_viewer": "role:admin or role:deployer or role:viewer",
    "default": "rule:admin_or_deployer",

    "get_images": "rule:admin_or_deployer_or_viewer",
    "get_image": "rule:admin_or_deployer_or_viewer",
    "download_image": "rule:admin_or_deployer",
    "add_image": "rule:admin_or_deployer",
    "modify_image": "rule:admin_or_deployer",
    "publicize_image": "rule:admin_or_deployer",
    "delete_image": "rule:admin_or_deployer",

"manage_image_cache": "role:admin"
}

Based on the investigation, it is due to a failed policy check on the 'get_image_location' rule while the REST response is being serialized.

There are several things wrong with this:
1. A user should be able to list images without needing permission on get_image_location
2. Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_multiple_location and CONF.show_image_direct_url. By default, both of them are False so the location would not be getting returned anyway, so there would be no need to do the policy check in this particular case.
3. A policy failure should result in a 403 return code. We're getting a 500.

See original description

Feilong Wang (flwang) on 2013-09-26

Changed in glance:
assignee:	nobody → Fei Long Wang (flwang)
status:	New → In Progress

Feilong Wang (flwang) on 2013-09-26

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-26: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/48401

Mark Washenberger (markwash) on 2013-09-26

Changed in glance:
milestone:	none → havana-rc1
importance:	Undecided → High

Revision history for this message

John Warren (jswarren) wrote on 2013-09-26:

Regarding your #1: what permission, if any, should a user have if not get_image_location?

Mark Washenberger (markwash) on 2013-10-01

Changed in glance:
milestone:	havana-rc1 → icehouse-1
tags:	added: glance-rc-potential
tags:	added: havana-rc-potential removed: glance-rc-potential

Thierry Carrez (ttx) on 2013-10-08

Changed in glance:
milestone:	icehouse-1 → havana-rc2
tags:	removed: havana-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-10: Fix merged to glance (master)

Reviewed: https://review.openstack.org/48401
Committed: http://github.com/openstack/glance/commit/74eb73fe976b41f76fef1e1dcd1bc90d5f65a5f6
Submitter: Jenkins
Branch: master

commit 74eb73fe976b41f76fef1e1dcd1bc90d5f65a5f6
Author: Fei Long Wang <email address hidden>
Date: Thu Sep 26 15:49:01 2013 +0800

Glance GET /v2/images fails with 500 due to erroneous policy check

This patch will fix below two issues of V2 ResponseSerializer for
images-list, image-show, image-update and image-download.

    1. A user should be able to list/show/update/download image without
    needing permission on get_image_location.
    2. A policy failure should result in a 403 return code. We're
    getting a 500.

Fixes bug 1231255

Change-Id: Ie0ec2d574eea4433c4f610ec66a22cb16cae6dc6

Changed in glance:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-10: Fix proposed to glance (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/51044

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-10-11: Fix merged to glance (milestone-proposed)

Reviewed: https://review.openstack.org/51044
Committed: http://github.com/openstack/glance/commit/005904da775a809d4319310d6e3a79104aa27ba1
Submitter: Jenkins
Branch: milestone-proposed

commit 005904da775a809d4319310d6e3a79104aa27ba1
Author: Fei Long Wang <email address hidden>
Date: Thu Sep 26 15:49:01 2013 +0800

Glance GET /v2/images fails with 500 due to erroneous policy check

This patch will fix below two issues of V2 ResponseSerializer for
images-list, image-show, image-update and image-download.

    1. A user should be able to list/show/update/download image without
    needing permission on get_image_location.
    2. A policy failure should result in a 403 return code. We're
    getting a 500.

Fixes bug 1231255

Change-Id: Ie0ec2d574eea4433c4f610ec66a22cb16cae6dc6

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in glance:
milestone:	havana-rc2 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.