Glance

Glance allows image location updates (removal, replacement) for images in non-active state

Bug #1622016 reported by Dharini Chandrasekar on 2016-09-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Dharini Chandrasekar

Bug Description

Currently image location updates (removing, replacing) are permitted for
images even if their state is not ``active``.
Glance must prevent removal and replacement of image
locations of images that are not ``active`` by returning a Conflict Error (409 response code).

WIP: https://review.openstack.org/#/c/366995/

TODO: Atomicity in glance such that, glance permits removal/replacement of
image locations on certain permissible image transition states.
For example, when the status of the image is ``deactivated`` and it
has just been moved to ``active``, removing/replacing the custom location
may be allowed.

See original description

Dharini Chandrasekar (dharini-chandrasekar) on 2016-09-09

Changed in glance:
assignee:	nobody → Dharini Chandrasekar (dharini-chandrasekar)
description:	updated

Revision history for this message

Nikhil Komawar (nikhil-komawar) wrote on 2016-09-09:

https://review.openstack.org/#/c/366995/

Changed in glance:
status:	New → Triaged
importance:	Undecided → High

OpenStack Infra (hudson-openstack) on 2016-09-13

Changed in glance:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-07: Fix merged to glance (master)

Download full text (5.7 KiB)

Reviewed: https://review.openstack.org/366995
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=4ac8adbccc2b7bbef3d53f9141079c48f9c768f4
Submitter: Jenkins
Branch: master

commit 4ac8adbccc2b7bbef3d53f9141079c48f9c768f4
Author: Nikhil Komawar <email address hidden>
Date: Wed Sep 7 17:29:41 2016 -0400

Restrict location updates to active, queued images

Currently image location updates (removing, replacing) are permitted for
images even if their state is not ``active``.

    This need is to:
     * Prevent the replacement of image locations of images that are not
       ``active`` or ``queued`` by returning a Conflict Error
        (409 response code).
     * Prevent removal of image locations of images that are not ``active``
       by returning a Conflict Error (409 response code).

    Changing of image locations when the image state is not ``active`` can
    result in bad experiences for the users.
     * If one tries to change or remove the location for an image while it
        is in ``saving`` state, Glance would be trying to write data to a
        previously saved location while the user updates the custom
        location. This results in a race condition.
     * For images that are in ``queued`` state and no image data has been
        uploaded yet, there is no need for an image location to be
        removed and permitting users to remove the image
        location can result in a bad experience. However users can be
        allowed to replace the image location to maintain backward
        compatibility and also because replacing could mean replacing an
        empty location by a non-empty image location.
    * For images in ``deactivated`` state, it is essential that image
        locations are not updated as it does not abide with the purpose of
        the image state being set to ``deactivated`` and may cause security
        concerns.

    This commit introduces the following change in behavior:
      * If an image is in ``active`` state, removing/replacing the custom
        locations on that image will be allowed so there is no change in
        behavior for this case.
      * If an image is in ``saving`` or ``deactivated``, the status of
        that image will be checked while trying to replace/remove the custom
        location and a HTTP 409 Conflict status will be returned in response
        to the user.
      * If an image is in ``queued`` state, removing the custom
        image location will not be permitted as an image in queued status
        should not have any location associated with it. Replacing of location
        may be permitted here though.
      * If an image is in ``deleted`` or ``pending_delete`` state, a HTTP
        409 Conflict status will be returned, if that image is visible to
        the user (in case of admins). Otherwise, the location cannot be
        removed/replaced anyway. Please note ``pending_delete`` is another
        form of the ``deleted`` status and behavior in either case should be
        expected to be same.
      * If an image is in ``killed`` status, a HTTP 409 Conflict status will
        be returned.

TODO:...

Reviewed:  https://review.openstack.org/366995
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=4ac8adbccc2b7bbef3d53f9141079c48f9c768f4
Submitter: Jenkins
Branch:    master

commit 4ac8adbccc2b7bbef3d53f9141079c48f9c768f4
Author: Nikhil Komawar <nik.komawar@gmail.com>
Date:   Wed Sep 7 17:29:41 2016 -0400

Restrict location updates to active, queued images
    
    Currently image location updates (removing, replacing) are permitted for
    images even if their state is not ``active``.
    
    This need is to:
     * Prevent the replacement of image locations of images that are not
       ``active`` or ``queued`` by returning a Conflict Error
        (409 response code).
     * Prevent removal of image locations of images that are not ``active``
       by returning a Conflict Error (409 response code).
    
    Changing of image locations when the image state is not ``active`` can
    result in bad experiences for the users.
     *  If one tries to change or remove the location for an image while it
        is in ``saving`` state, Glance would be trying to write data to a
        previously saved location while the user updates the custom
        location. This results in a race condition.
     *  For images that are in ``queued`` state and no image data has been
        uploaded yet, there is no need for an image location to be
        removed and permitting users to remove the image
        location can result in a bad experience. However users can be
        allowed to replace the image location to maintain backward
        compatibility and also because replacing could mean replacing an
        empty location by a non-empty image location.
    *   For images in ``deactivated`` state, it is essential that image
        locations are not updated as it does not abide with the purpose of
        the image state being set to ``deactivated`` and may cause security
        concerns.
    
    This commit introduces the following change in behavior:
      * If an image is in ``active`` state, removing/replacing the custom
        locations on that image will be allowed so there is no change in
        behavior for this case.
      * If an image is in ``saving`` or ``deactivated``, the status of
        that image will be checked while trying to replace/remove the custom
        location and a HTTP 409 Conflict status will be returned in response
        to the user.
      * If an image is in ``queued`` state, removing the custom
        image location will not be permitted as an image in queued status
        should not have any location associated with it. Replacing of location
        may be permitted here though.
      * If an image is in ``deleted`` or ``pending_delete`` state, a HTTP
        409 Conflict status will be returned, if that image is visible to
        the user (in case of admins). Otherwise, the location cannot be
        removed/replaced anyway.  Please note ``pending_delete`` is another
        form of the ``deleted`` status and behavior in either case should be
        expected to be same.
      * If an image is in ``killed`` status, a HTTP 409 Conflict status will
        be returned.
    
    TODO:
    Atomicity is required such that glance permits removal/replacement of
    image locations on certain permissible image transition states handling
    the race conditions like:
      * In case where the status of the image is ``saving`` and it
        has just moved to ```active`` status, ideally removing/replacing
        custom location should be allowed. However, due to lack of
        atomicity in setting image status glance will ignore setting the
        location and a 409 will be returned.
      * In case where the status of the image is ``deactivated`` and it
        has just been moved to ``active`` status, ideally
        removing/replacing custom location should be allowed. Again, due
        to lack of atomicity in setting image status glance will ignore
        the request and a 409 will be returned.
      * In case where the status of the image is ``active`` and it has
        just been moved to ``deactivated`` status, due to lack of
        atomicity in setting image status, glance may remove/replace
        the location on that image.
      * In case where the status of the image is ``queued`` and it has
        just been moved to ``saving`` status, due to lack of atomicity
        in setting image status, glance may replace the location for
        that image.
      * In case where the status of the image is ``active`` and location
        is attempted to be set on it, and at that point if the image goes
        into ``deleted``, ``pending_delete`` or ``killed`` status, then the
        user must get a HTTP 409 Conflict status. However due to lack of
        atomicity in setting the image status, the location may get updated.
    
    NOTE:
    This commit ensures that removal of image locations
    is not allowed for an image in any state except ``active`` and
    replacement of an image location is not allowed except for ``active``
    and ``queued`` images.
    Further work is required on the atomicity of glance to accommodate
    location updates in cases where the images would be undergoing state
    changes.
    
    Impacts:
    APIImpact
    DocImpact
    
    Credits:
    This commit message contains text and information from the commit
    message for: https://review.openstack.org/#/c/324012/
    co authored by Nikhil Komawar <nik.komawar@gmail.com>.
    
    Co-Authored-By: Nikhil Komawar <nik.komawar@gmail.com>
    Co-Authored-By: Dharini Chandrasekar <dharini.chandrasekar@intel.com>
    
    Lite-Spec: https://review.openstack.org/#/c/368192/
    Closes-Bug: 1622016
    
    Change-Id: Ic24cf8234599a32add1cb9f294f902e497d885e0

Changed in glance:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-08: Fix proposed to glance (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/408706

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-14: Fix included in openstack/glance 14.0.0.0b2

This issue was fixed in the openstack/glance 14.0.0.0b2 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-24: Change abandoned on glance (stable/newton)

Change abandoned by Tony Breeds (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/408706
Reason: This branch (stable/newton) is at End Of Life

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.