Everything returns 403 if show_multiple_locations is true and get_image_location policy is set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Kairat Kushaev | ||
Ubuntu Cloud Archive |
Fix Released
|
High
|
Unassigned | ||
Kilo |
Fix Released
|
High
|
Jorge Niedbalski | ||
glance (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
If, in glance-api.conf you set:
show_multiple_
Things work as expected:
$ glance --os-image-
+-----
| Property | Value |
+-----
| checksum | 9cb02fe7fcac26f
| container_format | bare |
| created_at | 2015-10-
| disk_format | raw |
| id | 13ae74f0-
| locations | [{"url": "swift+
| | "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good-image |
| owner | 88cffb9c8aee457
| protected | False |
| size | 145 |
| status | active |
| tags | [] |
| updated_at | 2015-10-
| virtual_size | None |
| visibility | private |
+-----
but if you then set the get_image_location policy to role:admin, most calls return 403:
$ glance --os-image-
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
etc.
As https:/
1. A user should be able to list/show/
needing permission on get_image_location.
2. A policy failure should result in a 403 return code. We're
getting a 500
This is v2 only, v1 works ok.
[Test Case]
- Set show_multiple_
- Set get_image_location policy to role:admin in /etc/glance/
- Run glance --os-image-
[Regression Potential]
* None Identified
[Other Info]
* Already backported to mitaka/newton.
Changed in glance: | |
importance: | Undecided → High |
milestone: | none → mitaka-1 |
Changed in glance (Ubuntu): | |
status: | New → Fix Released |
Changed in glance (Ubuntu Xenial): | |
status: | New → Fix Released |
Changed in glance (Ubuntu Trusty): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Jorge Niedbalski (niedbalski) |
Changed in glance (Ubuntu Trusty): | |
status: | In Progress → New |
assignee: | Jorge Niedbalski (niedbalski) → nobody |
Changed in cloud-archive: | |
status: | New → Fix Released |
Changed in glance (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in cloud-archive: | |
importance: | Undecided → High |
Changed in glance (Ubuntu): | |
importance: | Undecided → High |
Changed in glance (Ubuntu Xenial): | |
importance: | Undecided → High |
description: | updated |
tags: | added: sts sts-sru-needed |
no longer affects: | glance (Ubuntu Trusty) |
tags: |
added: sts-sru-done removed: sts-sru-needed |
Similar to
https:/ /bugs.launchpad .net/glance/ +bug/1502133