OpenStack-Ansible

Glance policy restrictions cause tempest failures

Bug #1411599 reported by Hugh Saunders on 2015-01-16

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack-Ansible	Invalid	High	Hugh Saunders
Icehouse	Fix Released	High	Hugh Saunders	OpenStack-Ansible 9.0.7
Juno	Fix Released	High	Kevin Carter	OpenStack-Ansible 10.1.2
Trunk	Invalid	High	Hugh Saunders

Bug Description

The following glance policies have been added to prevent users from extracting files from the glance container using set location. However this had the side effect of preventing non-admin users from creating images with remote locations. This is done by the setup class of the tempest list images test, so that test fails.

========================================================
    "delete_image_location": "role:admin",
    "get_image_location": "",
    "set_image_location": "role:admin",
========================================================

For example:

======================================================================
FAIL: setUpClass (tempest.api.image.v1.test_images.ListImagesTest)
----------------------------------------------------------------------
Traceback (most recent call last):
_StringException: Traceback (most recent call last):
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/test.py", line 274, in setUpClass
    cls.resource_setup()
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/api/image/v1/test_images.py", line 113, in resource_setup
    img1 = cls._create_remote_image('one', 'bare', 'raw')
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/api/image/v1/test_images.py", line 147, in _create_remote_image
    location=location)
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/api/image/base.py", line 71, in create_image
    disk_format, **kwargs)
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/services/image/v1/json/image_client.py", line 157, in create_image
    resp, body = self.post('v1/images', None, headers)
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/common/rest_client.py", line 253, in post
    return self.request('POST', url, extra_headers, headers, body)
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/common/rest_client.py", line 467, in request
    resp, resp_body)
  File "/opt/tempest_3a94488ced15985f34b276993891b3bf3def3845/tempest/common/rest_client.py", line 508, in _error_checker
    raise exceptions.Unauthorized(resp_body)
Unauthorized: Unauthorized
Details: 403 Forbidden

Access was denied to this resource.
======================================================================

Hugh Saunders (hughsaunders) on 2015-01-16

Changed in openstack-ansible:
assignee:	nobody → Hugh Saunders (hughsaunders)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-16: Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/147813

Changed in openstack-ansible:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23: Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/147813
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=a5ab931267c613d4cf802a1c0158bc602b99fd84
Submitter: Jenkins
Branch: master

commit a5ab931267c613d4cf802a1c0158bc602b99fd84
Author: Hugh Saunders <email address hidden>
Date: Fri Jan 16 10:43:22 2015 +0000

Add role for tempest to allow set image location

    Recent glance policy additions prevent non admins from setting image
    location and therefore creating remote images. Tempest users need this
    functionality, so this patch adds a role to those users and a policy to
    allow that role to set image location.

    The change that allows users to specify roles to be added to tempest
    users has already been merged upstream:
    https://review.openstack.org/#/c/147542/

In order to use the upstream tempest changes, I had to bump the tempest
sha, which in turn required some client package upgrades:

     * tempest to 3feb4d4e1f9367269a226f788ff468f820751340
     * python-glanceclient to 0.15.0
     * python-saharaclient to 0.7.6

Change-Id: I9ed053bf70680db54b1cf679a171d61ea639f19d
Closes-Bug: #1411599

Changed in openstack-ansible:
status:	In Progress → Fix Committed

Matt Thompson (mattt416) on 2015-01-28

tags:

added: juno-backport-potential

Jesse Pretorius (jesse-pretorius) on 2015-01-29

Changed in openstack-ansible:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-29: Fix proposed to os-ansible-deployment (juno)

Fix proposed to branch: juno
Review: https://review.openstack.org/151321

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-30: Fix merged to os-ansible-deployment (juno)

Reviewed: https://review.openstack.org/151321
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=278ec800c4ad14534ed4406c0cb6900a6a6f779b
Submitter: Jenkins
Branch: juno

commit 278ec800c4ad14534ed4406c0cb6900a6a6f779b
Author: Hugh Saunders <email address hidden>
Date: Fri Jan 16 10:43:22 2015 +0000

Add role for tempest to allow set image location

    The change that allows users to specify roles to be added to tempest
    users has already been merged upstream:
    https://review.openstack.org/#/c/147542/

In order to use the upstream tempest changes, I had to bump the tempest
sha, which in turn required some client package upgrades:

     * tempest to 3feb4d4e1f9367269a226f788ff468f820751340
     * python-glanceclient to 0.15.0
     * python-saharaclient to 0.7.6

    Change-Id: I9ed053bf70680db54b1cf679a171d61ea639f19d
    Closes-Bug: #1411599
    (cherry picked from commit a5ab931267c613d4cf802a1c0158bc602b99fd84)

Jesse Pretorius (jesse-pretorius) on 2015-02-03

tags:

removed: juno-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-19: Fix proposed to os-ansible-deployment (icehouse)

Fix proposed to branch: icehouse
Review: https://review.openstack.org/157340

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-19: Fix merged to os-ansible-deployment (icehouse)

Reviewed: https://review.openstack.org/157340
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=2129b64484f0476d7d0d4697624c241c0bf7ac44
Submitter: Jenkins
Branch: icehouse

commit 2129b64484f0476d7d0d4697624c241c0bf7ac44
Author: Hugh Saunders <email address hidden>
Date: Fri Jan 16 10:43:22 2015 +0000

Add role for tempest to allow set image location

    The change that allows users to specify roles to be added to tempest
    users has already been merged upstream:
    https://review.openstack.org/#/c/147542/

In order to use the upstream tempest changes, I had to bump the tempest
sha, which in turn required some client package upgrades:

     * tempest to 3feb4d4e1f9367269a226f788ff468f820751340
     * python-glanceclient to 0.15.0
     * python-saharaclient to 0.7.6

    Conflicts:
            rpc_deployment/library/neutron
            rpc_deployment/roles/tempest_resources/tasks/main.yml
            rpc_deployment/vars/repo_packages/python_glanceclient.yml
            rpc_deployment/vars/repo_packages/python_saharaclient.yml
            rpc_deployment/vars/repo_packages/tempest.yml

    Change-Id: I9ed053bf70680db54b1cf679a171d61ea639f19d
    Closes-Bug: #1411599
    (cherry picked from commit a5ab931267c613d4cf802a1c0158bc602b99fd84)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.