| 2015-10-02 13:23:12 |
Stuart McLaren |
bug |
|
|
added bug |
| 2015-10-02 13:33:42 |
Kairat Kushaev |
glance: assignee |
|
Kairat Kushaev (kkushaev) |
|
| 2015-10-12 13:12:16 |
OpenStack Infra |
glance: status |
New |
In Progress |
|
| 2015-11-26 13:26:50 |
Flavio Percoco |
glance: importance |
Undecided |
High |
|
| 2015-11-26 13:26:54 |
Flavio Percoco |
glance: milestone |
|
mitaka-1 |
|
| 2016-01-25 17:26:42 |
OpenStack Infra |
glance: status |
In Progress |
Fix Released |
|
| 2017-06-23 14:45:33 |
Jorge Niedbalski |
bug task added |
|
glance (Ubuntu) |
|
| 2017-06-23 14:45:48 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-06-23 14:45:48 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Trusty |
|
| 2017-06-23 14:45:56 |
Jorge Niedbalski |
glance (Ubuntu): status |
New |
Fix Released |
|
| 2017-06-23 14:46:43 |
Eric Desrochers |
bug task added |
|
glance (Ubuntu Trusty) |
|
| 2017-06-23 14:46:45 |
Eric Desrochers |
bug task added |
|
glance (Ubuntu Xenial) |
|
| 2017-06-23 14:50:52 |
Jorge Niedbalski |
glance (Ubuntu Xenial): status |
New |
Fix Released |
|
| 2017-06-23 14:51:16 |
Jorge Niedbalski |
glance (Ubuntu Trusty): status |
New |
In Progress |
|
| 2017-06-23 14:51:26 |
Jorge Niedbalski |
glance (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2017-06-23 14:51:33 |
Jorge Niedbalski |
glance (Ubuntu Trusty): assignee |
|
Jorge Niedbalski (niedbalski) |
|
| 2017-06-23 16:54:25 |
Jorge Niedbalski |
bug task added |
|
cloud-archive |
|
| 2017-06-23 16:55:13 |
Jorge Niedbalski |
glance (Ubuntu Trusty): status |
In Progress |
New |
|
| 2017-06-23 16:55:19 |
Jorge Niedbalski |
glance (Ubuntu Trusty): assignee |
Jorge Niedbalski (niedbalski) |
|
|
| 2017-06-23 17:15:58 |
Billy Olsen |
nominated for series |
|
cloud-archive/kilo |
|
| 2017-06-26 12:24:39 |
Corey Bryant |
bug task added |
|
cloud-archive/kilo |
|
| 2017-06-26 12:24:58 |
Corey Bryant |
cloud-archive: status |
New |
Fix Released |
|
| 2017-06-26 12:35:10 |
Corey Bryant |
cloud-archive/kilo: status |
New |
Triaged |
|
| 2017-06-26 12:35:20 |
Corey Bryant |
glance (Ubuntu Trusty): status |
New |
Triaged |
|
| 2017-06-26 12:35:52 |
Corey Bryant |
cloud-archive: importance |
Undecided |
High |
|
| 2017-06-26 12:35:55 |
Corey Bryant |
cloud-archive/kilo: importance |
Undecided |
Critical |
|
| 2017-06-26 12:35:58 |
Corey Bryant |
glance (Ubuntu): importance |
Undecided |
High |
|
| 2017-06-26 12:36:01 |
Corey Bryant |
cloud-archive/kilo: importance |
Critical |
High |
|
| 2017-06-26 12:36:03 |
Corey Bryant |
glance (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2017-06-28 21:18:31 |
Jorge Niedbalski |
cloud-archive/kilo: status |
Triaged |
In Progress |
|
| 2017-06-28 21:18:34 |
Jorge Niedbalski |
cloud-archive/kilo: assignee |
|
Jorge Niedbalski (niedbalski) |
|
| 2017-06-28 22:19:52 |
Jorge Niedbalski |
attachment added |
|
fix-lp1502136-trusty-kilo.debdiff https://bugs.launchpad.net/glance/+bug/1502136/+attachment/4904964/+files/fix-lp1502136-trusty-kilo.debdiff |
|
| 2017-06-28 22:20:22 |
Jorge Niedbalski |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2017-06-28 22:25:25 |
Jorge Niedbalski |
description |
If, in glance-api.conf you set:
show_multiple_locations = true
Things work as expected:
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | 9cb02fe7fcac26f8a25d6db3109063ae |
| container_format | bare |
| created_at | 2015-10-02T12:43:33Z |
| disk_format | raw |
| id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 |
| locations | [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", |
| | "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good-image |
| owner | 88cffb9c8aee457788066c97b359585b |
| protected | False |
| size | 145 |
| status | active |
| tags | [] |
| updated_at | 2015-10-02T12:43:34Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
but if you then set the get_image_location policy to role:admin, most calls return 403:
$ glance --os-image-api-version 2 image-list
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
etc.
As https://review.openstack.org/#/c/48401/ says:
1. A user should be able to list/show/update/download image without
needing permission on get_image_location.
2. A policy failure should result in a 403 return code. We're
getting a 500
This is v2 only, v1 works ok. |
[Impact]
If, in glance-api.conf you set:
show_multiple_locations = true
Things work as expected:
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | 9cb02fe7fcac26f8a25d6db3109063ae |
| container_format | bare |
| created_at | 2015-10-02T12:43:33Z |
| disk_format | raw |
| id | 13ae74f0-74bf-4792-a8bb-7c622abc5410 |
| locations | [{"url": "swift+config://ref1/glance/13ae74f0-74bf-4792-a8bb-7c622abc5410", |
| | "metadata": {}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | good-image |
| owner | 88cffb9c8aee457788066c97b359585b |
| protected | False |
| size | 145 |
| status | active |
| tags | [] |
| updated_at | 2015-10-02T12:43:34Z |
| virtual_size | None |
| visibility | private |
+------------------+----------------------------------------------------------------------------------+
but if you then set the get_image_location policy to role:admin, most calls return 403:
$ glance --os-image-api-version 2 image-list
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
$ glance --os-image-api-version 2 image-delete 13ae74f0-74bf-4792-a8bb-7c622abc5410
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
etc.
As https://review.openstack.org/#/c/48401/ says:
1. A user should be able to list/show/update/download image without
needing permission on get_image_location.
2. A policy failure should result in a 403 return code. We're
getting a 500
This is v2 only, v1 works ok.
[Test Case]
- Set show_multiple_locations = true on glance-api.conf
- Set get_image_location policy to role:admin in /etc/glance/policy.json
- Run glance --os-image-api-version 2 image-show 13ae74f0-74bf-4792-a8bb-7c622abc5410 , This should work.
[Regression Potential]
* None Identified
[Other Info]
* Already backported to mitaka/newton. |
|
| 2017-06-28 22:26:06 |
Jorge Niedbalski |
tags |
|
sts sts-sru-needed |
|
| 2017-06-29 12:12:07 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
| 2017-07-25 13:16:02 |
James Page |
cloud-archive/kilo: status |
In Progress |
Fix Committed |
|
| 2017-07-25 13:16:03 |
James Page |
tags |
sts sts-sru-needed |
sts sts-sru-needed verification-kilo-needed |
|
| 2017-07-25 14:47:04 |
Jorge Niedbalski |
tags |
sts sts-sru-needed verification-kilo-needed |
sts sts-sru-needed verification-kilo-done |
|
| 2017-07-27 19:49:55 |
James Page |
cloud-archive/kilo: status |
Fix Committed |
Fix Released |
|
| 2017-08-07 10:44:12 |
Edward Hope-Morley |
bug task deleted |
glance (Ubuntu Trusty) |
|
|
| 2017-08-07 10:45:01 |
Edward Hope-Morley |
tags |
sts sts-sru-needed verification-kilo-done |
sts sts-sru-done verification-kilo-done |
|
