image_download policy not enforced for cached images

Confirmed in devstack.

To reproduce:

create a policy.json file with:

{
    "context_is_admin": "role:admin",
    "download_image": "role:admin",
    "default": "",
    "manage_image_cache": "role:admin"
}

Verify that a non-admin user cannot download
$ glance image-show 42c834df-3b35-4982-aed6-ffa4a44d3778;glance image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 398759a311bf25c6f1d67e753bb24dae |
| container_format | bare |
| created_at | 2013-10-04T13:10:35 |
| deleted | False |
| disk_format | raw |
| id | 42c834df-3b35-4982-aed6-ffa4a44d3778 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | x1 |
| owner | f6e065403d57444aa973fc10c655dedd |
| protected | False |
| size | 106 |
| status | active |
| updated_at | 2013-10-04T13:10:36 |
+------------------+--------------------------------------+

Request returned failure status.
403 Forbidden

download the image as an admin user

$ glance image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
LABEL=cloudimg-rootfs / ext4 defaults 0 0
/dev/vdb /mnt auto defaults,nobootwait,comment=cloudconfig 0 2

the non-admin user can now also download the image

$ glance image-show 42c834df-3b35-4982-aed6-ffa4a44d3778;glance image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 398759a311bf25c6f1d67e753bb24dae |
| container_format | bare |
| created_at | 2013-10-04T13:10:35 |
| deleted | False |
| disk_format | raw |
| id | 42c834df-3b35-4982-aed6-ffa4a44d3778 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | x1 |
| owner | f6e065403d57444aa973fc10c655dedd |
| protected | False |
| size | 106 |
| status | active |
| updated_at | 2013-10-04T13:10:36 |
+------------------+--------------------------------------+
LABEL=cloudimg-rootfs / ext4 defaults 0 0
/dev/vdb /mnt auto defaults,nobootwait,comment=cloudconfig 0 2

I can push this up to gerrit as a standard code change -- just let me know, thanks!

Seems to be in v2 aswell

ubuntu@devstack27:/etc/glance$ glance --os-image-api-version 1 image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
Request returned failure status.
403 Forbidden
Access was denied to this resource.
    (HTTP 403)
ubuntu@devstack27:/etc/glance$ glance --os-image-api-version 2 image-download 42c834df-3b35-4982-aed6-ffa4a44d3778
LABEL=cloudimg-rootfs / ext4 defaults 0 0
/dev/vdb /mnt auto defaults,nobootwait,comment=cloudconfig 0 2

This likely needs an advisory, assuming it affects grizzly or earlier. Stuart, can you confirm?

Yes I think it affects grizzly.

My patch may have been superceeded somewhat by this change:

https://review.openstack.org/#/c/50016/

@Stuart: looks like we should mark this bug a duplicate from bug 1235378 and solve this publicly, now that the cat is out of the bag ? Does the patch proposed there fully address your concerns ?

Hi Thierry,

Yes, Zhi Yan Liu's patch looks very good.

(Prety much the same as what my patch was doing -- but with new functional tests and also the v2 traceback fix.)

OK, unless someone complains i'll open and mark this one as dupe, move the ossa task to the other bug and comment on the security relevance there.

@Stuart: we'll need a grizzly backport (and a folsom one if folsom is also affected). If you are interested, please propose fix directly to stable/grizzly (and stable/folsom if applicable) referencing the other bug.

I can certainly do a grizzly patch.
I'll see if Zhi Yan Liu would like to do a folsom one.

Grizzly patch proposed: https://review.openstack.org/#/c/50103/