Glance

Unexpected error in glance registry when param 'allow_anonymous_access' is True

Series liberty
Bug #1470164

Bug #1470164 reported by Alexey Galkin on 2015-06-30

This bug affects 1 person

	Status	Importance	Assigned to
Glance	Won't Fix	Undecided	Kuo-tung Kao (jelly)
Juno	Won't Fix	Undecided	Unassigned
Kilo	Won't Fix	Undecided	Unassigned
Liberty	Won't Fix	Undecided	Kuo-tung Kao (jelly)

Bug Description

Steps to reproduce:

1. Stop "glance-api" service.
2. In "glance-api.conf" set "allow_anonymous_access = True"
3. Start "glance-api" service.
4. Trying to get image-list with use v1 and without keystone "x-auth-token"

GET /v1/images HTTP/1.1
Host: 172.18.85.25:2081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

Actual result:

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 0
Date: Tue, 30 Jun 2015 14:54:42 GMT
Connection: close

P.S: Affected all versions of glance (v1,v2,v3) if you use 'registry' backend and "use_user_token = true" in glance-api.conf (default value).

See original description

Tags:

Revision history for this message

Alexey Galkin (agalkin) wrote on 2015-06-30:

Glance-api log with traceback Edit (10.5 KiB, text/plain)

Alexey Galkin (agalkin) on 2015-06-30

description:

updated

Alexey Galkin (agalkin) on 2015-06-30

summary:	- Glance v1 not working with "allow_anonymous_access = True" + Unexpected error in glance registry when param 'allow_anonymous_access' + is True
description:	updated
description:	updated

Kuo-tung Kao (jelly) (coding1314) on 2015-07-02

Changed in glance:
assignee:	nobody → jelly (coding1314)

OpenStack Infra (hudson-openstack) on 2015-07-02

Changed in glance:
status:	New → In Progress

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-07-02:

I send a patch for the bug.
https://review.openstack.org/#/c/197830/

Revision history for this message

Ian Cordasco (icordasc) wrote on 2015-07-08:

I approved these Erno. Thanks for nominating them.

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-07-17:

I send a patch for the bug.
https://review.openstack.org/#/c/197830/
The way to solve the problem is the same way used for sloving glance-api anonymous access problem.
See https://github.com/openstack/glance/commit/2e9a467dc822aa1175dc08b5ea12d363b9a04ffe

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-07-17:

When you enable "allow_anonymous_access = True" in glance-api.conf, but not enable "allow_anonymous_access = True", and there are "delay_auth_decision = true" in glance-registry-paste.ini , the glance-api will raise exception like below.

  File "/opt/stack/glance/glance/common/wsgi.py", line 881, in __call__
    request, **action_args)
  File "/opt/stack/glance/glance/common/wsgi.py", line 905, in dispatch
    return method(*args, **kwargs)
  File "/opt/stack/glance/glance/api/v1/images.py", line 325, in index
    images = registry.get_images_list(req.context, **params)
  File "/opt/stack/glance/glance/registry/client/v1/api.py", line 150, in get_images_list
    return c.get_images(**kwargs)
  File "/opt/stack/glance/glance/registry/client/v1/client.py", line 106, in get_images
    res = self.do_request("GET", "/images", params=params)
  File "/opt/stack/glance/glance/registry/client/v1/client.py", line 136, in do_request
    'exc_name': exc_name})
  File "/usr/local/lib/python2.7/dist-packages/oslo_utils/excutils.py", line 85, in __exit__
    six.reraise(self.type_, self.value, self.tb)
  File "/opt/stack/glance/glance/registry/client/v1/client.py", line 121, in do_request
    **kwargs)
  File "/opt/stack/glance/glance/common/client.py", line 74, in wrapped
    return func(self, *args, **kwargs)
  File "/opt/stack/glance/glance/common/client.py", line 377, in do_request
    headers=copy.deepcopy(headers))
  File "/opt/stack/glance/glance/common/client.py", line 88, in wrapped
    return func(self, method, url, body, headers)
  File "/opt/stack/glance/glance/common/client.py", line 519, in _do_request
    raise exception.NotAuthenticated(res.read())
NotAuthenticated: 401 Unauthorized

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-07-17:

When you enable "allow_anonymous_access = True" in glance-api.conf, but not enable "allow_anonymous_access = True", and there are not "delay_auth_decision = true" in glance-registry-paste.ini , the glance-api will raise exception like above.

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-09-30:

I tested the bug in the latest glance code(git commit id: 04776634a2d5e33cac4363c06b8da6a78b055803).
And set "allow_anonymous_access" to ture.

I found All thing worked fine.
The bug seems to be fixed by other commit.

I use the command to get images.
curl http://localhost:9292/v2.0/images

Revision history for this message

Sabari Murugesan (smurugesan) wrote on 2015-09-30:

@jelly: Can we close the bug then ?

Revision history for this message

Kuo-tung Kao (jelly) (coding1314) wrote on 2015-10-01:

＠Sabari If someone check it again and find the bug has gone, just close it.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-01: Change abandoned on glance (master)

#10

Change abandoned by Kuo-tung Kao (<email address hidden>) on branch: master
Review: https://review.openstack.org/197830
Reason: It seems the bug had been fixed by other commit accidentally