Ubuntu Cloud Archive

Everything returns 403 if show_multiple_locations is true and get_image_location policy is set

Series kilo
Bug #1502136

Bug #1502136 reported by Stuart McLaren on 2015-10-02

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Glance	Fix Released	High	Kairat Kushaev	Glance mitaka-1 "m1"
Ubuntu Cloud Archive	Fix Released	High	Unassigned
Kilo	Fix Released	High	Jorge Niedbalski
glance (Ubuntu)	Fix Released	High	Unassigned
Xenial	Fix Released	High	Unassigned

Bug Description

[Impact]

If, in glance-api.conf you set:

show_multiple_locations = true

Things work as expected:

$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | 9cb02fe7fcac26f8a25d6db3109063ae |
| container_format | bare |
| created_at | 2015-10-02T12:43:33Z |
| disk_format | raw |
| id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 |
| locations | [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", |
| | "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good-image |
| owner | 88cffb9c8aee457788066c97b359585b |
| protected | False |
| size | 145 |
| status | active |
| tags | [] |
| updated_at | 2015-10-02T12:43:34Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+

but if you then set the get_image_location policy to role:admin, most calls return 403:

$ glance --os-image-api-version 2 image-list
403 Forbidden: You are not authorized to complete this action. (HTTP 403)

$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)

$ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)

etc.

As https://review.openstack.org/#/c/48401/ says:

1. A user should be able to list/show/update/download image without
needing permission on get_image_location.
2. A policy failure should result in a 403 return code. We're
getting a 500

This is v2 only, v1 works ok.

[Test Case]

- Set show_multiple_locations = true on glance-api.conf
- Set get_image_location policy to role:admin in /etc/glance/policy.json
- Run glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 , This should work.

[Regression Potential]

* None Identified

[Other Info]

* Already backported to mitaka/newton.

See original description

Tags:

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2015-10-02:

Similar to

https://bugs.launchpad.net/glance/+bug/1502133

Revision history for this message

Kairat Kushaev (kkushaev) wrote on 2015-10-02:

I will close the https://bugs.launchpad.net/glance/+bug/1502133 and assign that bug to myself.
This bug is more detailed.

Changed in glance:
assignee:	nobody → Kairat Kushaev (kkushaev)

Revision history for this message

Kairat Kushaev (kkushaev) wrote on 2015-10-02:

As stated in related bug:
Image location output on the image detail APIs is controlled by these Glance CONF settings CONF.show_multiple_location and CONF.show_image_direct_url. By default, both of them are False so the location would not be getting returned anyway, so there would be no need to do the policy check in this particular case.
So it seems that Forbidden in case of image-show is correct for now (but i think just removing the locations from output would be more correct here).
Proceeding with analysis.

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2015-10-02:

> So it seems that Forbidden in case of image-show is correct for now

What does v1 do?

Revision history for this message

Ian Cordasco (icordasc) wrote on 2015-10-03:

Stuart, so what you want is the following

1. A very locked down policy.json
2. Glance configured to show locations
3. A user to be able to list/show images but not see the images, as in image locations only being added to the response when an admin is listing/showing images?

This should be easy to do, but it's a significant departure from the existing norm. I agree this is not the best behaviour, but I would like to see a "lite" spec for this before we accept any fix for it so that people understand why the behaviour changed so drastically.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-12: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/233622

Changed in glance:
status:	New → In Progress

Flavio Percoco (flaper87) on 2015-11-26

Changed in glance:
importance:	Undecided → High
milestone:	none → mitaka-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-25: Fix merged to glance (master)

Reviewed: https://review.openstack.org/233622
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=f07f36fa3789a4997b84639530e5d6ab1c603983
Submitter: Jenkins
Branch: master

commit f07f36fa3789a4997b84639530e5d6ab1c603983
Author: kairat_kushaev <email address hidden>
Date: Mon Oct 12 15:56:58 2015 +0300

Allow image-list if access to attrs is forbidden

    If access to some attributes is forbidden (f.e. get_image_location
    policy is set to role:admin and user is not admin) glance should
    just exclude these attributes from image-show, image-list output
    instead of generating Forbidden exception.
    Otherwise, the policies such as get_image_location is not useful.

    APIImpact
    SecurityImpact
    Change-Id: I5a6f587086e926a1f7e9b3f1dac9d7e10710d72a
    Closes-bug: #1502136

Changed in glance:
status:	In Progress → Fix Released

Jorge Niedbalski (niedbalski) on 2017-06-23

Changed in glance (Ubuntu):
status:	New → Fix Released
Changed in glance (Ubuntu Xenial):
status:	New → Fix Released

Jorge Niedbalski (niedbalski) on 2017-06-23

Changed in glance (Ubuntu Trusty):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Jorge Niedbalski (niedbalski)

Jorge Niedbalski (niedbalski) on 2017-06-23

Changed in glance (Ubuntu Trusty):
status:	In Progress → New
assignee:	Jorge Niedbalski (niedbalski) → nobody

Corey Bryant (corey.bryant) on 2017-06-26

Changed in cloud-archive:
status:	New → Fix Released

Corey Bryant (corey.bryant) on 2017-06-26

Changed in glance (Ubuntu Trusty):
status:	New → Triaged
Changed in cloud-archive:
importance:	Undecided → High
Changed in glance (Ubuntu):
importance:	Undecided → High
Changed in glance (Ubuntu Xenial):
importance:	Undecided → High

Revision history for this message

Jorge Niedbalski (niedbalski) wrote on 2017-06-28:

fix-lp1502136-trusty-kilo.debdiff Edit (6.9 KiB, text/plain)

Jorge Niedbalski (niedbalski) on 2017-06-28

description:	updated
tags:	added: sts sts-sru-needed

Revision history for this message

James Page (james-page) wrote on 2017-07-25:

Uploaded to kilo-staging for the UCA.

Revision history for this message

James Page (james-page) wrote on 2017-07-25: Please test proposed package

#10

Hello Stuart, or anyone else affected,

Accepted glance into kilo-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

sudo add-apt-repository cloud-archive:kilo-proposed
sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-kilo-needed to verification-kilo-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-kilo-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags:

added: verification-kilo-needed

Revision history for this message

Jorge Niedbalski (niedbalski) wrote on 2017-07-25:

#11

OK, I've verified that the patch fixes the issue on kilo. Steps ran through.

1) Configured expose_image_locations=true in the Glance charm config.
2) Manually modify the file /etc/glance/policy.json and set "get_image_location" to "role:admin".
3) Created a image as admin tenant.
4) Run glance --os-image-api-version 2 image-show id.

Without the patch the following error is raised:

$ glance --os-image-api-version 2 image-list
403 Forbidden: You are not authorized to complete this action. (HTTP 403)

With the patch the full list of images is displayed.

tags:

added: verification-kilo-done
removed: verification-kilo-needed

Revision history for this message

James Page (james-page) wrote on 2017-07-27: Update Released

#12

The verification of the Stable Release Update for glance has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

James Page (james-page) wrote on 2017-07-27:

#13

This bug was fixed in the package glance - 1:2015.1.4-0ubuntu2
---------------

glance (1:2015.1.4-0ubuntu2) trusty-kilo; urgency=medium
.
   * d/p/allow-image-list-if-access-to-attrs-is-forbidden.patch:
     Allow to list images in v2 if get_image_location policy is set
     to role:admin and user is not admin. (LP: #1502136).