Glance doesn't send correctly authorization request to Oslo policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Cyril Roelandt | ||
oslo.policy |
Fix Released
|
Low
|
Doug Hellmann |
Bug Description
We have an OpenStack/Mitaka installed with Keystone, Nova and Glance.
In /etc/glance/
...
"add_image": "http://
"delete_image": "http://
"get_image": "http://
"get_images": "http://
"modify_image": "http://
...
Then, when we run:
$ openstack image list
+------
| ID | Name | Status |
+------
| 6e31cdd2-
+------
with no problem, but if we run:
$ openstack image create --disk-format qcow2 --file /vagrant/
400 Bad Request
cannot deepcopy this pattern object
(HTTP 400)
The Oslo_Policy code doesn't raise an error but stop when trying to deepcopying the target variable in oslo.policy/
2017-09-25 12:48:16.044 16600 DEBUG oslo_policy.
2017-09-25 12:48:16.047 16600 DEBUG oslo_policy.policy [req-e98eef44-
2017-09-25 12:48:16.075 16600 DEBUG glance.
2017-09-25 12:48:16.084 16600 INFO eventlet.
An other problem is that we have not enough information in the target variable (in oslo.policy/
We believe that this is due to the Glance part since it doesn't well prepare the authorization request (body) to Oslo policy.
Changed in glance: | |
assignee: | nobody → Cyril Roelandt (cyril-roelandt) |
importance: | Undecided → High |
milestone: | none → queens-2 |
status: | New → In Progress |
Looking at the code from oslo_policy/ _checks. py, three things come to mind:
1) copy.deepcopy is called on a glance. api.policy. ImageTarget, and this class does not seem to define a __deepcopy__ method, which we might want to add since deep copying seems tricky. api.policy. ImageTarget object, and that is definitely not going to work, since this is not a dict, and no keys() method is defined.
2) the keys() method is called on the glance.
3) jsonutils.dumps() is called on temp_target, which may not be JSON-serializable.
I'm not sure whether these issues should be fixed by modifying the ImageTarget class, or whether we should actually pass a dict to oslo.policy. If we want to fix the ImageTarget class, we should probably start with something along those lines: http:// paste.debian. net/989066/
Does anyone know how this feature is supposed to work? Has it ever worked?