Glance

v2 member-create call allows adding an empty tenantId as member

Bug #1231497 reported by Brian Rosmaita on 2013-09-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Medium	Feilong Wang	Glance 2013.2 "havana"

Bug Description

This happens with API calls only, the python-glanceclient does not allow it.

Note the request payload in this request:

curl -i -X POST -H "X-Auth-Token: $AUTH_TOKEN" \
> -H 'Content-Type: application/json' \
> -d '{ "member": "" }' \
> http://$GLANCE/v2/images/$IMG/members

Response:
HTTP/1.1 200 OK
Content-Length: 198
Content-Type: application/json; charset=UTF-8
X-Openstack-Request-Id: req-54621fca-efc0-4800-a2d0-f25a4ee4671d
Date: Thu, 26 Sep 2013 14:43:25 GMT

{"status": "pending", "created_at": "2013-09-26T14:43:25Z", "updated_at": "2013-09-26T14:43:25Z", "image_id": "4551c8ab-ab07-4d4b-88f0-97be88f1c09b", "member_id": "", "schema": "/v2/schemas/member"}

demo! curl -X GET -H "X-Auth-Token: $AUTH_TOKEN" -H 'Content-Type: application/json' http://$GLANCE/v2/images/$IMG/members | python -m json.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 478 100 478 0 0 16296 0 --:--:-- --:--:-- --:--:-- 17071
{
    "members": [
        {
            "created_at": "2013-09-26T14:43:25Z",
            "image_id": "4551c8ab-ab07-4d4b-88f0-97be88f1c09b",
            "member_id": "",
            "schema": "/v2/schemas/member",
            "status": "pending",
            "updated_at": "2013-09-26T14:43:25Z"
        },
        {
            "created_at": "2013-09-20T21:16:21Z",
            "image_id": "4551c8ab-ab07-4d4b-88f0-97be88f1c09b",
            "member_id": "8989447062e04a818baf9e073fd04fa7",
            "schema": "/v2/schemas/member",
            "status": "pending",
            "updated_at": "2013-09-20T21:16:21Z"
        }
    ],
    "schema": "/v2/schemas/members"
}

Problem is that because of the structure of the delete call, you can't delete such an image member:
DELETE http://$GLANCE/v2/images/$IMG/members/$CONSUMER

Workaround is that this doesn't match any tenant IDs, so it has no effect, it just takes up space.

Mark Washenberger (markwash) on 2013-09-26

Changed in glance:
milestone:	none → havana-rc1
importance:	Undecided → Medium
status:	New → Triaged

Feilong Wang (flwang) on 2013-09-26

Changed in glance:
assignee:	nobody → Fei Long Wang (flwang)

Feilong Wang (flwang) on 2013-09-26

Changed in glance:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-26: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/48503

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-28: Fix merged to glance (master)

Reviewed: https://review.openstack.org/48503
Committed: http://github.com/openstack/glance/commit/7ba7333d9f9d565156746ff7586bf52a071c0047
Submitter: Jenkins
Branch: master

commit 7ba7333d9f9d565156746ff7586bf52a071c0047
Author: Fei Long Wang <email address hidden>
Date: Fri Sep 27 01:34:54 2013 +0800

Fixes V2 member-create allows adding an empty tenantId as member

Adding a precheck for the member id in RequestDeserializer.

Fixes bug 1231497

Change-Id: Ia60486b0ebeff2a9923cfbe1a262dfa9d2a44246

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-10-02

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in glance:
milestone:	havana-rc1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.