Glance GET /v2/images fails with 500 due to erroneous policy check
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Feilong Wang |
Bug Description
A user with 'viewer' authority per the following policy receives a 500 error when calling glance v2/images.
The user is successfully able to get a list of images and details when calling /v1/images/detail.
Policy:
{
"admin_only": "role:admin",
"admin_
"admin_
"default": "rule:admin_
"get_images": "rule:admin_
"get_image": "rule:admin_
"download_
"add_image": "rule:admin_
"modify_image": "rule:admin_
"publicize_
"delete_image": "rule:admin_
"manage_
}
Based on the investigation, it is due to a failed policy check on the 'get_image_
There are several things wrong with this:
1. A user should be able to list images without needing permission on get_image_location
2. Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_
3. A policy failure should result in a 403 return code. We're getting a 500.
Changed in glance: | |
assignee: | nobody → Fei Long Wang (flwang) |
status: | New → In Progress |
description: | updated |
Changed in glance: | |
milestone: | none → havana-rc1 |
importance: | Undecided → High |
Changed in glance: | |
milestone: | havana-rc1 → icehouse-1 |
tags: | added: glance-rc-potential |
tags: |
added: havana-rc-potential removed: glance-rc-potential |
Changed in glance: | |
milestone: | icehouse-1 → havana-rc2 |
tags: | removed: havana-rc-potential |
Changed in glance: | |
milestone: | havana-rc2 → 2013.2 |
Fix proposed to branch: master /review. openstack. org/48401
Review: https:/