Some APIs return None when missing permissions instead of raising 403
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Felipe Monteiro |
Bug Description
Steps to reproduce:
------------------
1) Update Cinder's policy "volume_
to "rule:admin_api" in policy.json
2) Call the os-unset_
3) None is returned.
Reason for bug:
---------------
For os-unset_
that None is returned instead of a 403 being raised.
This leads to strange behavior in, say, Tempest, where it expects a dictionary to be returned, but instead receives None from the API.
Most APIs in Cinder only use fatal=False in context.authorize() for extending a response body (i.e. adding additional information to it). But for these examples it affects the entire response body being returned or not.
Places affected:
----------------
os-unset_
os-set_
Used this to look for others but didn't find any: http://
Example stacktrace:
-------------------
Traceback (most recent call last):
File "/opt/stack/
LOG.error(msg)
File "/usr/local/
self.
File "/usr/local/
six.
File "/opt/stack/
test_
File "/opt/stack/
self.
File "tempest/
body = json.loads(body)
File "/usr/local/
return json.loads(
File "/usr/lib/
return _default_
File "/usr/lib/
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
[0] https:/
[1] https:/
Changed in cinder: | |
status: | New → Confirmed |
Changed in cinder: | |
importance: | Undecided → High |
milestone: | none → queens-3 |
assignee: | nobody → Felipe Monteiro (fm577c) |
This was discussed in today's IRC meeting and there was agreement that this is a bug. We should be returning a 403. So, Felipe is going to work on a fix.