CFN API policy denial returns 500 response

Bug #1291079 reported by Steven Hardy on 2014-03-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Medium
Steven Hardy

Bug Description

E.g testing via heat-boto:

/usr/bin/heat-boto -d list

results in:

2014-03-11 22:22:56.568 DEBUG routes.middleware [-] Match dict: {'action': u'list', 'controller': <heat.common.wsgi.Resource object at 0x3359090>} from (pid=19951) __call__ /usr/lib/python2.7/site-packages/Routes-1.12.3-py2.7.egg/routes/middleware.py:103
2014-03-11 22:22:56.568 DEBUG heat.openstack.common.policy [req-7b30e80d-5d92-4bbc-b5dd-e55e6d4786fa None 5721ecfc374d4f249a9aa801255cc102-ua1] Rule cloudformation:ListStacks will be now enforced from (pid=19951) enforce /opt/stack/heat/heat/openstack/common/policy.py:251
2014-03-11 22:22:56.569 DEBUG root [-] XML response : <ErrorResponse><Error><Message>User is not authorized to perform action:Action ListStacks not allowed for user</Message><Code>AccessDenied</Code><Type>Sender</Type></Error></ErrorResponse> from (pid=19951) to_xml /opt/stack/heat/heat/common/wsgi.py:619

in the api-cfn log, but boto sees a 500:

DEBUG:Received 500 response. Retrying in 1.0 seconds
Traceback (most recent call last):
  File "/usr/bin/heat-boto", line 693, in <module>
    main()
  File "/usr/bin/heat-boto", line 680, in main
    result = cmd(opts, args)
  File "/usr/lib/python2.7/site-packages/heat_cfnclient/utils.py", line 32, in wrapper
    ret = func(*arguments, **kwargs)
  File "/usr/bin/heat-boto", line 407, in stack_list
    result = c.list_stacks()
  File "/usr/lib/python2.7/site-packages/heat_cfnclient/boto_client.py", line 34, in list_stacks
    return super(BotoClient, self).list_stacks()
  File "/usr/lib/python2.7/site-packages/boto/cloudformation/connection.py", line 354, in list_stacks
    [('member', StackSummary)])
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 1127, in get_list
    response = self.make_request(action, params, path, verb)
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 1073, in make_request
    return self._mexe(http_request)
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 986, in _mexe
    raise BotoServerError(response.status, response.reason, body)
boto.exception.BotoServerError: BotoServerError: 500 Internal Server Error
None

Steven Hardy (shardy) wrote :

To clarify, the above happens when heat-boto is provided a keypair associated with a user who has the heat_stack_user role (which is denied ListStacks access in the policy.json)

Changed in heat:
assignee: nobody → Steven Hardy (shardy)
Steve Baker (steve-stevebaker) wrote :

This should be a 403?

Steven Hardy (shardy) wrote :

> This should be a 403?

Yeah, which results in a more informative error message via boto

Changed in heat:
status: New → Triaged
importance: Undecided → Medium

Related fix proposed to branch: master
Review: https://review.openstack.org/86278

Changed in heat:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/86280

Reviewed: https://review.openstack.org/86278
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=15892aac16e7fad9851c4d64f19ad02e02dedd17
Submitter: Jenkins
Branch: master

commit 15892aac16e7fad9851c4d64f19ad02e02dedd17
Author: Steven Hardy <email address hidden>
Date: Wed Apr 9 11:24:45 2014 +0100

    Add missing test coverage for XMLResponseSerializer

    Currently we have no direct coverage of this, so add some tests
    prior to refactoring in a subsequent patch.

    Change-Id: I20242e60b84f9265cdc7afef2deabee8235e287c
    Related-Bug: #1291079

Reviewed: https://review.openstack.org/86279
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=ba48137e24b20bc8f1b42ee4d27343d1b9f101f3
Submitter: Jenkins
Branch: master

commit ba48137e24b20bc8f1b42ee4d27343d1b9f101f3
Author: Steven Hardy <email address hidden>
Date: Tue Apr 8 16:53:16 2014 +0100

    Refactor to separate serializers from wsgi controller

    Remove the serializers from heat.common.wsgi, so we break the
    circular import which happens if you want to import
    heat.api.aws.exceptions to do a determination based on exception
    type, which is required to avoid the faultwrap exception disguise
    which is not applicable to the CFN API.

    Partial-Bug: #1291079

    Change-Id: I7498d78f8ec6098b28fb183eaaa04aa81fced3eb

Changed in heat:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/86280
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=31d18df40354f50f4eb7ab14a6a6e67e1d480fd6
Submitter: Jenkins
Branch: master

commit 31d18df40354f50f4eb7ab14a6a6e67e1d480fd6
Author: Steven Hardy <email address hidden>
Date: Wed Apr 9 10:43:51 2014 +0100

    Don't disguise CFN API exceptions

    The exception disguise wrapper is for the native API which uses
    the faultwrap filter to process the response. For HeatAPIException
    subclasses (which are only raised by the CFN/CW API's) we need to
    raise the unwrapped exception or the client sees a 500 response.

    Change-Id: Iebfbc76d5cb26aa9ee61c5192d7fecc596aa83b9
    Closes-Bug: #1291079

Thierry Carrez (ttx) on 2014-06-11
Changed in heat:
milestone: none → juno-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in heat:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers