Glance

'upload-image' policy blocks the image-import API

Bug #1732141 reported by Bhagyashri Shewale
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Critical
Bhagyashri Shewale
Glance queens-3 "16.0.0.0b3"

Bug Description

There are two methods to create images:-

Method A)
POST /v2/images
PUT /v2/images/{image_id}/file

Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import

Glance community has long term plan to restrict Method A for normal user to create the image.

The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload-image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API.

If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create).

The 'upload-image' and 'import image' shares same policy.

Steps to reproduce:

Case 1: Restrict the normal user to upload-image

1. Modify the /etc/glance/policy.json

        "upload_image": "role:demo",

2. Create the image

    $ glance image-create --name test --property test=tyest --file
      spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2
  +------------------+--------------------------------------+
  | Property | Value |
  +------------------+--------------------------------------+
  | checksum | None |
  | container_format | bare |
  | created_at | 2017-11-13T07:02:41Z |
  | disk_format | qcow2 |
  | id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
  | min_disk | 0 |
  | min_ram | 0 |
  | name | test |
  | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
  | protected | False |
  | size | None |
  | status | queued |
  | tags | [] |
  | test | tyest |
  | updated_at | 2017-11-13T07:02:41Z |
  | virtual_size | None |
  | visibility | shared |
  +------------------+--------------------------------------+
  403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
  b219-18a2743b82b6: You are not authorized to complete upload_image action.
  (HTTP 403)

Case 2: Now normal user wants to create the image using image-create-via-import api but it will not allow to import the image as the policy is set in the first case.

    $ glance image-create-via-import --name test --file
      spec_and_blueprint_content.txt --container-format bare --disk-format raw --
      property os_distro=xyz
  +------------------+--------------------------------------+
  | Property | Value |
  +------------------+--------------------------------------+
  | checksum | None |
  | container_format | bare |
  | created_at | 2017-11-13T07:23:25Z |
  | disk_format | raw |
  | id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
  | min_disk | 0 |
  | min_ram | 0 |
  | name | test |
  | os_distro | xyz |
  | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
  | protected | False |
  | size | None |
  | status | queued |
  | tags | [] |
  | updated_at | 2017-11-13T07:23:25Z |
  | virtual_size | None |
  | visibility | shared |
  +------------------+--------------------------------------+
  403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
  b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
  403)

So to overcome this we will need to add the separate policy for import image in policy.json

See original description
Bhagyashri Shewale (bhagyashri-shewale)
Changed in glance:
assignee: nobody → Bhagyashri Shewale (bhagyashri-shewale)
description: updated
Abhishek Kekane (abhishek-kekane)
Changed in glance:
status: New → Confirmed
importance: Undecided → High
Brian Rosmaita (brian-rosmaita)
Changed in glance:
milestone: none → queens-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/524060

Changed in glance:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/525578

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Rescheduling to Q-3 and upping the Importance to Critical.

Changed in glance:
importance: High → Critical
milestone: queens-2 → queens-3
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Rescheduling to Queens because the policy code requires some discussion and consensus.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance (master)

Change abandoned by Bhagyashri Shewale (<email address hidden>) on branch: master
Review: https://review.openstack.org/525578

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/524060
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=89feef0e2f2d327e8efd4cc768aaced72c54838c
Submitter: Zuul
Branch: master

commit 89feef0e2f2d327e8efd4cc768aaced72c54838c
Author: bhagyashris <email address hidden>
Date: Tue Nov 21 12:55:50 2017 +0530

    Move 'upload_image' policy check to the controller

    There are two methods to create images:-

    Method A)
    POST /v2/images
    PUT /v2/images/{image_id}/file

    Method B)
    POST /v2/images
    PUT /v2/images/{image_id}/stage
    POST /v2/images/{image_id}/import

    The traditional image upload API (PUT /v2/images/{image_id}/file)
    uses 'upload_image' policy which is same for
    Method B (POST /v2/images/{image_id}/import)
    image-create-via-import(new API for image create) API.

    The long term goal is to make users use method B to create images
    and cross services to use Method A until changes are made to
    use Method B.
    To restrict normal users from using Method A to create images both
    these APIs (/v2/images/{image_id}/file and /v2/images/{image_id}/import)
    should have a distinct policy.

    This patch move the 'upload_image' policy check from imge.set_data()
    to the controller and not introduce any new policies at this point
    for import API call (POST /v2/images/{image_id}/import)
    on the theory that an operator can stop import by restricting the
    'image_create' policy. And also this fix will not change the semantics
    of the 'upload_image' policy from the operator perspective.

    Closes-Bug: #1732141
    Change-Id: Icc62add5f8d48549aac94c8058d66d6b77b56d41

Changed in glance:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance 16.0.0.0b3

This issue was fixed in the openstack/glance 16.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.