If non active image is shared with another project and any member from that project tries to stage data for the same then we get Internal server error from glance API.
Steps to reproduce:
1. Create image with shared visibility using below command
$ glance image-create --name stage-check --visibility shared
2. Share image with another project using below command
$ glance image-stage <IMAGE_ID_FROM_STEP_1> <PROJECT_ID>
3. Now source the credentials of project with we have shared image in stage 2
4. Stage image data using below command
$ glance image-stage <image_id> --file <path_of_data_file>
Expected Ouput: 403 HttpForbidden: You are not permitted for this operation
Actual Output:
HTTP 502 Bad Gateway: Bad Gateway: The proxy server received an invalid: response from an upstream server.: Apache/2.4.41 (Ubuntu) Server at 10.0.78.195 Port 80
Glance API logs:
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data [None req-0c2515a8-cf31-4f8e-b365-c9f5375c386d rbac-testing rbac-member] Failed to stage image data due to internal error: glance.common.exception.Forbidden: You are not permitted to modify 'status' on this image.
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data Traceback (most recent call last):
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data File "/opt/stack/glance/glance/api/v2/image_data.py", line 372, in stage
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data image.status = 'uploading'
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data File "/opt/stack/glance/glance/api/authorization.py", line 247, in forbidden
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data raise exception.Forbidden(message % {'attr': attr,
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data glance.common.exception.Forbidden: You are not permitted to modify 'status' on this image.
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data [None req-0c2515a8-cf31-4f8e-b365-c9f5375c386d rbac-testing rbac-member] Unable to restore image 30e26758-0e2d-4347-b0c0-66964f76403b: You are not permitted to modify 'status' on this image.: glance.common.exception.Forbidden: You are not permitted to modify 'status' on this image.
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data Traceback (most recent call last):
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data File "/opt/stack/glance/glance/api/v2/image_data.py", line 372, in stage
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data image.status = 'uploading'
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data File "/opt/stack/glance/glance/api/authorization.py", line 247, in forbidden
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data raise exception.Forbidden(message % {'attr': attr,
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data glance.common.exception.Forbidden: You are not permitted to modify 'status' on this image.
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data During handling of the above exception, another exception occurred:
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data Traceback (most recent call last):
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data File "/opt/stack/glance/glance/api/v2/image_data.py", line 66, in _restore
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data image.status = 'queued'
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data File "/opt/stack/glance/glance/api/authorization.py", line 247, in forbidden
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data raise exception.Forbidden(message % {'attr': attr,
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data glance.common.exception.Forbidden: You are not permitted to modify 'status' on this image.
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.api.v2.image_data
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi [None req-0c2515a8-cf31-4f8e-b365-c9f5375c386d rbac-testing rbac-member] Caught error: You are not permitted to modify 'status' on this image.: glance.common.exception.Forbidden: You are not permitted to modify 'status' on this image.
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi Traceback (most recent call last):
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1353, in __call__
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi action_result = self.dispatch(self.controller, action,
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1397, in dispatch
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi return method(*args, **kwargs)
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/utils.py", line 416, in wrapped
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi return func(self, req, *args, **kwargs)
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 443, in stage
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi self._restore(image_repo, image)
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi self.force_reraise()
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi raise self.value
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 372, in stage
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi image.status = 'uploading'
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/authorization.py", line 247, in forbidden
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi raise exception.Forbidden(message % {'attr': attr,
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi glance.common.exception.Forbidden: You are not permitted to modify 'status' on this image.
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: ERROR glance.common.wsgi
Aug 13 20:49:33 akekane-xena-dev <email address hidden>[1526]: [pid: 1526|app: 0|req: 19/38] 127.0.0.1 () {40 vars in 822 bytes} [Fri Aug 13 20:49:33 2021] PUT /v2/images/30e26758-0e2d-4347-b0c0-66964f76403b/stage => generated 228 bytes in 53 msecs (HTTP/1.1 500) 4 headers in 184 bytes (1 switches on core 0)
Hi @HanGuangyu,
I would like to work on this bug.
Kindly let me know If I can assign this to me.
Thanks,
Malleswari