Updating an image as demo user logs user out

Bug #955744 reported by Anthony Young on 2012-03-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Gabriel Hurley

Bug Description

Steps to reproduce:

> (run devstack)
> Click "Images and Snapshots"
> Click "Edit" on cirros image
> Click "Save"


EIther don't show the edit button, or show a flash informing me that I'm not authorize:


Error: Unable to update image "43745b00-51c5-46b5-8d66-db865d7c8eae".

And then I'm logged out: http://stsh.me/1Ps

Devin Carlen (devcamcar) on 2012-03-15
Changed in horizon:
status: New → Confirmed
tags: added: essex-rc-potential
Changed in horizon:
importance: Undecided → Critical
Changed in horizon:
milestone: none → essex-rc1
Gabriel Hurley (gabriel-hurley) wrote :

It's worse than that. Even as an admin user (with a username that matches the "owner" attribute on the image) I'm getting logged out. This is serious enough to be a blocker for the RC.

Changed in horizon:
assignee: nobody → Gabriel Hurley (gabriel-hurley)
status: Confirmed → In Progress
Gabriel Hurley (gabriel-hurley) wrote :

I've added glance to this bug report because the deeper issue here is that Glance is sending back a Forbidden response without any message indicating why the action was forbidden, lending no help to either end users or developers as to what can be done to correct or improve upon the situation.

Brian Waldon (bcwaldon) wrote :

I'm not sure how to treat this differently in Glance. I'm assuming you're getting a 403 because you're attempting to edit a public image you don't own. However, it is odd that an admin user is seeing the same behavior. I'll look into what's up with that.

Brian Waldon (bcwaldon) wrote :

I can't reproduce the inability of the owner to edit the image. Looking at the code, it doesn't appear that admins can edit every image, but thats a different scenario.

Gabriel Hurley (gabriel-hurley) wrote :

It turns out:

  1. glance scopes image ownership to the tenant name, not the tenant id, or user id, nor even the user name which is what horizon is checking. Bug here: https://bugs.launchpad.net/glance/+bug/950364

  2. glance fails to respect the admin context and thus tries to use the scoped tenant to authorize the request, even if the user is an admin. (bug forthcoming from bcwaldon)

  3. the glance client fails to differentiate between 401 and 403 status codes (bug here: https://bugs.launchpad.net/glance/+bug/956513) so while logging the user out is appropriate behavior for a 401 and *not* for a 403, horizon isn't given the proper data to take the correct action.

Gabriel Hurley (gabriel-hurley) wrote :
Brian Waldon (bcwaldon) wrote :

Untargeting glance as we have separate bugs filed.

no longer affects: glance
Thierry Carrez (ttx) on 2012-03-19
tags: removed: essex-rc-potential

Reviewed: https://review.openstack.org/5549
Committed: http://github.com/openstack/horizon/commit/2a51171517de2890d26130225a60901827fdfd51
Submitter: Jenkins
Branch: master

commit 2a51171517de2890d26130225a60901827fdfd51
Author: Gabriel Hurley <email address hidden>
Date: Mon Mar 19 18:49:01 2012 -0700

    Corrects glance image action permissions.

      * Admins have full permissions to edit and delete images
        from syspanel, plus Glance's client returns a proper
        403 error instead of 401, so inappropriate access no longer
        logs the user out inappropriately. Fixes bug 955744.
      * Regular users can edit and delete if their tenant owns the
        image. Fixes bug 950364 and fixes bug 737360.

    Note, this requires the latest version of Glance.

    Change-Id: Ib816d7e6e1320a9024c5dbe95b04249291ec0463

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-03-20
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in horizon:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers