Glance

403 response from Nova when making a DELETE call for an image in pending_delete

Bug #1446326 reported by Nikhil Komawar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Opinion
Medium
Unassigned
OpenStack Compute (nova)
Invalid
Low
Sudipta Biswas

Bug Description

Context and information:
--------------------------------------
Currently, 404 is seen by the user when "image-delete" call is made via the Glance API or through the Images API of Nova for an Image in "deleted" status.

However, if an Image is in "pending_delete" and a user with the UUID of that Image tries "image-delete" call from the Nova API, she gets a back a 403 which is not consistent. The user should get a 404 back.

Notes:
----------
* The user needs to specify the UUID, name is not sufficient.
* For "image-show" call the user is able to see the Image in DELETED status with the appropriate metadata for Image in "deleted" or "pending_delete" status in Glance as nova passes-in the force_show_deleted=True flag by default.

Feedback needed and action to be taken:
---------------------------------------------------------------
Nova should be able to return a 404 back to the user while issuing a "image-delete" call if the Image is flagged deleted in the Glance DB (deleted=True), irrespective of the Image status in "deleted" or "pending_delete".

See original description
Nikhil Komawar (nikhil-komawar)
Changed in glance:
importance: Undecided → Medium
Nikhil Komawar (nikhil-komawar)
description: updated
Sudipta Biswas (sbiswas7)
Changed in nova:
assignee: nobody → Sudipta Biswas (sbiswas7)
Revision history for this message
jichenjc (jichenjc) wrote :

change error code should be fine , no backward compatible issue exist

Changed in nova:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Sudipta Biswas (sbiswas7) wrote :

Hi Nikhil, it appears to me that the error code 404 or 403 - is being generated by glance-api irrespective of whether the call is being made through nova api or via the glance api for image-delete.
I set the delayed_delete to True in the glance-api.conf file to simulate this.

The fix IMHO should be in the glance/v1/images.py and that should fix it for either of the scenarios.
I plan to post a Patch set for the same. Meanwhile, please let me know if you think otherwise.

Changed in glance:
assignee: nobody → Sudipta Biswas (sbiswas7)
Sudipta Biswas (sbiswas7)
Changed in glance:
status: New → Confirmed
Revision history for this message
Nikhil Komawar (nikhil-komawar) wrote :

Hi Sudipta,

Thanks for getting back on this. The proposed change path looks good.

A quick note though:
Glance does generate a 404 on deleted images however you can see the image state if nova passes in a force_show_deleted flag. That being said we may have multiple cases when an inconsistent response is being seen by the user but that's purely my speculation at this point. I haven't had chance to further dig into this but if you help test it (your fix) across both APIs, that would be awesome.

Thanks.

Revision history for this message
Sudipta Biswas (sbiswas7) wrote :

It appears that nova relies completely on glance for the error code and hence the fix at one point in glance is enough to fix this bug. Marking this nova side of the fix as 'Invalid' post chatting with Nikhil on IRC.

Changed in nova:
status: Confirmed → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/177326

Changed in glance:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance (master)

Change abandoned by Sudipta Biswas (<email address hidden>) on branch: master
Review: https://review.openstack.org/177326
Reason: Based on Flavio's comments - i am abandoning this patch.

Sudipta Biswas (sbiswas7)
Changed in glance:
assignee: Sudipta Biswas (sbiswas7) → nobody
status: In Progress → Incomplete
status: Incomplete → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.