Glance

role case sensitivity

Bug #1010519 reported by Alexej Ababilov on 2012-06-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Alexej Ababilov	Glance 2012.2 "folsom"

Bug Description

Nova and Keystone are case insensitive when checking roles.
nova:
if self.is_admin is None:
self.is_admin = 'admin' in [x.lower() for x in self.roles]

keystone:
    def _check_role(self, match, target_dict, cred_dict):
        """Check that there is a matching role in the cred dict."""
        return match.lower() in [x.lower() for x in cred_dict['roles']]

However, glance is case sensitive:
roles_header = req.headers.get('X-Roles', '')
roles = [r.strip() for r in roles_header.split(',')]
...
'is_admin': self.conf.admin_role in roles,

By default, self.conf.admin_role == 'admin', so, keystone's `Admin` role (that could migrate from a diablo database) will not be acceptable.

Let's fix it:
roles = [r.strip().lower() for r in roles_header.split(',')]

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-06-08: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/8341

Changed in glance:
assignee:	nobody → Alessio Ababilov (aababilov)
status:	New → In Progress

Brian Waldon (bcwaldon) on 2012-06-08

Changed in glance:
status:	In Progress → Opinion

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-06-12:

Based on this mailing list thread, we're going to move forward with this: http://markmail.org/thread/gnguwiea2d5fexo7

Changed in glance:
status:	Opinion → In Progress
importance:	Undecided → High
milestone:	none → folsom-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-06-19: Fix merged to glance (master)

Reviewed: https://review.openstack.org/8341
Committed: http://github.com/openstack/glance/commit/081823ad862cabc74977299876d000cafaa6f40d
Submitter: Jenkins
Branch: master

commit 081823ad862cabc74977299876d000cafaa6f40d
Author: Alessio Ababilov <email address hidden>
Date: Fri Jun 8 18:15:47 2012 +0300

make roles case-insensitive

Fix bug #1010519

Change-Id: I5b4a50e2d546ba8b4b018178af09707bc4d31fce

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-07-04

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in glance:
milestone:	folsom-2 → 2012.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.