Normal user not able to download image if protected property is not associated with the image with restrict-download policy

Bug #1387973 reported by Abhishek Kekane
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Critical
Abhishek Kekane
Juno
Fix Released
Critical
Unassigned

Bug Description

If restrict download rule is configured in policy.json, and image is added without protected property mentioned in "restricted" rule, then normal users (other than admin) not able to download the image.

Steps to reproduce:

1. Create normal_user with _member_ role using horizon

2. Configure download rule in policy.json

   "download_image": "role:admin or rule:restricted",
   "restricted": "not ('test_1234':%(test_key)s and role:_member_)",

3. Restart glance-api service

4. create image without property 'test_key' with admin user

   i. source devstack/openrc admin admin
   ii. glance image-create
   iii. glance image-update <image_id> --name non_protected --disk-format qcow2 --container-format bare --is-public True --file /home/openstack/api.log

5. Try to download the newly created image with normal_user.

   i. source devstack/openrc normal_user admin
   ii. glance image-download <image_id>

It returns 403 Forbidden response to the user, where as admin user can download the image successfully.

Expected behavior is all users can download the images if restricted property is not added.

Note:
https://review.openstack.org/#/c/127923/
The above policy sync patch will solve this issue for Kilo.

Changed in glance:
assignee: nobody → Abhishek Kekane (abhishek-kekane)
Jun Hong Li (junhongl)
Changed in glance:
assignee: Abhishek Kekane (abhishek-kekane) → Jun Hong Li (junhongl)
status: New → In Progress
Revision history for this message
Jun Hong Li (junhongl) wrote :

Abhishek Kekane: I didn't notice that you have already assign this bug to yourself, you can take over it back. I'm trying to assign it back to you, but fail. I'm sorry.

Changed in glance:
assignee: Jun Hong Li (junhongl) → nobody
Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

I have tested this scenario with https://review.openstack.org/#/c/127923/ patch. It is working as per expectation with this patch.

Changed in glance:
assignee: nobody → Abhishek Kekane (abhishek-kekane)
tags: added: juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/133858

description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/juno)

Reviewed: https://review.openstack.org/133858
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=c5e302ef220803b6c86d588ddcff9a63eaaaccc2
Submitter: Jenkins
Branch: stable/juno

commit c5e302ef220803b6c86d588ddcff9a63eaaaccc2
Author: abhishekkekane <email address hidden>
Date: Tue Nov 11 12:00:27 2014 -0800

    Image not downloaded without restricted property

    If restrict download rule is configured in policy.json, and image is
    added without protected property mentioned in "restricted" rule, then
    normal users (other than admin) are not able to download the image.

    Added logic in policy.py, to allow normal user to download image
    without restricted property.

    https://review.openstack.org/#/c/127923/
    Above patch will fix the issue for master, but as it is too large to
    be back-ported to stable/juno, Nikhil recommended to push only minimal
    changes that fixes this issue after discussing it with the release manager.

    In this patch, I have copied required changes from oslo-incubator
    policy module from commit 33533b0d97639ed828a2fd5e874f16eb1ecfeaa4.
    Note: In juno release, oslo-incubator policy module was not synced
    with glance completely.

    Closes-Bug: #1387973
    Change-Id: Ib85901b073c85ede7da2e9c7333426c8b8de3bb6

tags: added: in-stable-juno
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/127923
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=bdc4951d29ce803891bee85f993e9a01893827e6
Submitter: Jenkins
Branch: master

commit bdc4951d29ce803891bee85f993e9a01893827e6
Author: Zhi Yan Liu <email address hidden>
Date: Mon Oct 13 18:06:56 2014 +0800

    Update glance.openstack.common.policy and cleanup

    1. Sync glance.openstack.common.policy up to latest
    version from oslo-inc.

    2. Clean useless modules which depended by policy
    module and pinned gettextutils module there. For
    latter one, we are going to use glance.i18n instead.
     * jsonutils
     * strutils

    docImpact

    Closes-bug: #1288178
    Closes-bug: #1387973
    Partial-bug: #1381870
    Change-Id: I84511ab1ee600e618985448dfbfbdc26cb130370
    Signed-off-by: Zhi Yan Liu <email address hidden>

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Changed in glance:
importance: Undecided → High
importance: High → Critical
Thierry Carrez (ttx)
Changed in glance:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers