Glance

Cinder store migration will fail if first GET'er is not the owner

Series wallaby
Bug #1932337

Bug #1932337 reported by Dan Smith on 2021-06-17

This bug affects 1 person

	Status	Importance	Assigned to
Glance	Fix Released	Undecided	Unassigned
Wallaby	Confirmed	Undecided	Unassigned
Xena	Fix Released	Undecided	Unassigned

Bug Description

During an upgrade to Xena, cinder-backed image locations are migrated to include the store name in the URL field. This is lazily done on the first GET of the image. The problem is that the first user to GET an image after the migration may not be an admin or the owner of the image, as would be the case for a public or shared image. If that happens, the user gets a 404 for a valid image because the DB layer refuses the modify operation. This is logged:

2021-06-17 08:50:06,559 WARNING [glance.db.sqlalchemy.api] Attempted to modify image user did not own.

The lazy migration code needs to tolerate this and allow someone else to perform the migration without breaking non-owner GET operations until the migration is complete.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-17: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/glance/+/796885

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-17:

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/glance/+/796887

Changed in glance:
status:	New → In Progress

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2021-06-17:

Need to backport this to stable/wallaby branch as well.

Changed in glance:
status:	In Progress → Confirmed

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2021-06-17:

I think this issue is not specific to cinder-glance driver but with other drivers as well.

OpenStack Infra (hudson-openstack) on 2021-06-29

Changed in glance:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-14: Fix merged to glance (master)

Reviewed: https://review.opendev.org/c/openstack/glance/+/796885
Committed: https://opendev.org/openstack/glance/commit/b55dbb28c644f84165d57b9346cbe8b34a0c731d
Submitter: "Zuul (22348)"
Branch: master

commit b55dbb28c644f84165d57b9346cbe8b34a0c731d
Author: Dan Smith <email address hidden>
Date: Thu Jun 17 08:53:36 2021 -0700

Reproduce bug #1932337

    This reproduces the behavior described in bug 1932337, where a post-
    upgrade GET by a non-owning user will return an error for a valid image
    because the cinder store migration cannot complete.

This asserts the broken behavior to reproduce the problem, and the
rest of the test will be enabled when the bug is fixed.

    Note that the test for this was duplicating code from the base class,
    and since some changes were needed to those methods, this removes the
    duplication and modifies only the base.

Change-Id: I741e6377b3aa40c14d637f0fbdf396dc468f6ebd

Changed in glance:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-14:

Reviewed: https://review.opendev.org/c/openstack/glance/+/796887
Committed: https://opendev.org/openstack/glance/commit/ee1849714e4164a5b8897318aeb103eaa0de0258
Submitter: "Zuul (22348)"
Branch: master

commit ee1849714e4164a5b8897318aeb103eaa0de0258
Author: Dan Smith <email address hidden>
Date: Thu Jun 17 08:58:36 2021 -0700

Fix failed cinder store migration for non-owners

    This fixes the bug related to cinder store migration being unable to
    complete if a non-owner, non-admin user GETs the image before one of
    the authorized users has triggered the lazy migration.

Change-Id: I187f626816ef1bc7303251165d2282bf6985cfd1
Closes-Bug: #1932337

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-16: Fix included in openstack/glance 23.0.0.0rc1

This issue was fixed in the openstack/glance 23.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.