'upload-image' policy blocks the image-import API

Bug #1732141 reported by Bhagyashri Shewale
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Critical
Bhagyashri Shewale

Bug Description

There are two methods to create images:-

Method A)
POST /v2/images
PUT /v2/images/{image_id}/file

Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import

Glance community has long term plan to restrict Method A for normal user to create the image.

The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload-image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API.

If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create).

The 'upload-image' and 'import image' shares same policy.

Steps to reproduce:

Case 1: Restrict the normal user to upload-image

1. Modify the /etc/glance/policy.json

        "upload_image": "role:demo",

2. Create the image

    $ glance image-create --name test --property test=tyest --file
      spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2
  +------------------+--------------------------------------+
  | Property | Value |
  +------------------+--------------------------------------+
  | checksum | None |
  | container_format | bare |
  | created_at | 2017-11-13T07:02:41Z |
  | disk_format | qcow2 |
  | id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
  | min_disk | 0 |
  | min_ram | 0 |
  | name | test |
  | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
  | protected | False |
  | size | None |
  | status | queued |
  | tags | [] |
  | test | tyest |
  | updated_at | 2017-11-13T07:02:41Z |
  | virtual_size | None |
  | visibility | shared |
  +------------------+--------------------------------------+
  403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
  b219-18a2743b82b6: You are not authorized to complete upload_image action.
  (HTTP 403)

Case 2: Now normal user wants to create the image using image-create-via-import api but it will not allow to import the image as the policy is set in the first case.

    $ glance image-create-via-import --name test --file
      spec_and_blueprint_content.txt --container-format bare --disk-format raw --
      property os_distro=xyz
  +------------------+--------------------------------------+
  | Property | Value |
  +------------------+--------------------------------------+
  | checksum | None |
  | container_format | bare |
  | created_at | 2017-11-13T07:23:25Z |
  | disk_format | raw |
  | id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
  | min_disk | 0 |
  | min_ram | 0 |
  | name | test |
  | os_distro | xyz |
  | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
  | protected | False |
  | size | None |
  | status | queued |
  | tags | [] |
  | updated_at | 2017-11-13T07:23:25Z |
  | virtual_size | None |
  | visibility | shared |
  +------------------+--------------------------------------+
  403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
  b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
  403)

So to overcome this we will need to add the separate policy for import image in policy.json

Changed in glance:
assignee: nobody → Bhagyashri Shewale (bhagyashri-shewale)
description: updated
Changed in glance:
status: New → Confirmed
importance: Undecided → High
Changed in glance:
milestone: none → queens-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/524060

Changed in glance:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/525578

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Rescheduling to Q-3 and upping the Importance to Critical.

Changed in glance:
importance: High → Critical
milestone: queens-2 → queens-3
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Rescheduling to Queens because the policy code requires some discussion and consensus.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance (master)

Change abandoned by Bhagyashri Shewale (<email address hidden>) on branch: master
Review: https://review.openstack.org/525578

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/524060
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=89feef0e2f2d327e8efd4cc768aaced72c54838c
Submitter: Zuul
Branch: master

commit 89feef0e2f2d327e8efd4cc768aaced72c54838c
Author: bhagyashris <email address hidden>
Date: Tue Nov 21 12:55:50 2017 +0530

    Move 'upload_image' policy check to the controller

    There are two methods to create images:-

    Method A)
    POST /v2/images
    PUT /v2/images/{image_id}/file

    Method B)
    POST /v2/images
    PUT /v2/images/{image_id}/stage
    POST /v2/images/{image_id}/import

    The traditional image upload API (PUT /v2/images/{image_id}/file)
    uses 'upload_image' policy which is same for
    Method B (POST /v2/images/{image_id}/import)
    image-create-via-import(new API for image create) API.

    The long term goal is to make users use method B to create images
    and cross services to use Method A until changes are made to
    use Method B.
    To restrict normal users from using Method A to create images both
    these APIs (/v2/images/{image_id}/file and /v2/images/{image_id}/import)
    should have a distinct policy.

    This patch move the 'upload_image' policy check from imge.set_data()
    to the controller and not introduce any new policies at this point
    for import API call (POST /v2/images/{image_id}/import)
    on the theory that an operator can stop import by restricting the
    'image_create' policy. And also this fix will not change the semantics
    of the 'upload_image' policy from the operator perspective.

    Closes-Bug: #1732141
    Change-Id: Icc62add5f8d48549aac94c8058d66d6b77b56d41

Changed in glance:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance 16.0.0.0b3

This issue was fixed in the openstack/glance 16.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers