Magnum

magnum service-list return incorrect error code

Bug #1520311 reported by hongbin on 2015-11-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Undecided	hongbin

Bug Description

Current behavior:

$ source /opt/stack/devstack/openrc demo demo
$ magnum service-list
ERROR: Internal Server Error (HTTP 500)

The 500 error is incorrectly. It should return a 403 error because demo user is not authorized to perform this operation.

HouMing Wang (houming-wang) on 2015-12-31

Changed in magnum:
assignee:	nobody → HouMing Wang (houming-wang)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-04: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/263219

Changed in magnum:
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2016-01-04

Changed in magnum:
assignee:	HouMing Wang (houming-wang) → hongbin (hongbin034)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-05: Related fix proposed to magnum (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/263505

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-07: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/263219
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=7b754ae39087bc1b2cc5958ea10594b88436aec3
Submitter: Jenkins
Branch: master

commit 7b754ae39087bc1b2cc5958ea10594b88436aec3
Author: houming-wang <email address hidden>
Date: Mon Jan 4 02:51:54 2016 -0500

WSGI enfore fails should return 403 instead of 500

    When user is not authorized to perform operations defined in policy
    file, it should return a 403 error. The 500 error is incorrect.
    This patch do the following changes:
    1. Raise a PolicyNotAuthorized 403 exception when normal user
    without admin privilege run command 'magnum service-list'.
    2. Remove unnecessary hacking rule M301 'decorator must be
    the first decorator on a method'.
    3. Fix failed enforcement test cases introduced by 403
    PolicyNotAuthorized exception.

Change-Id: Ie5a7d138cdb8b226686c189ae86f251c0a1329c8
Closes-Bug: #1520311

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-07: Related fix merged to magnum (master)

Reviewed: https://review.openstack.org/263505
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=085631b71bcaa30176c109681285b97a76234e75
Submitter: Jenkins
Branch: master

commit 085631b71bcaa30176c109681285b97a76234e75
Author: Hongbin Lu <email address hidden>
Date: Mon Jan 4 20:01:57 2016 -0500

Fixed the incorrect policy enforcement

    In API controller, "@expose.expose" should be on top of
    "@policy.enforce_wsgi". Otherwise, the output won't have the correct
    format and status code. That is because "@expose.expose" will format
    the exception before sending the response.

    In "enforce_wsgi", use decorator module instead of "functools.wraps".
    That is because decorator is signature preserving, which is
    necessary for other decorator to work.

Also, added unit tests to ensure the correct error message and status
code will return if the request cannot pass the policy check.

Change-Id: I8b77ba95124c13dd1a46700bc60105bc7e33a579
Related-Bug: #1520311

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-08: Related fix proposed to magnum (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/265058

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-08: Related fix merged to magnum (master)

Reviewed: https://review.openstack.org/265058
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=05d9e75c034b6b46b0254de23c47a58641833b7d
Submitter: Jenkins
Branch: master

commit 05d9e75c034b6b46b0254de23c47a58641833b7d
Author: houming-wang <email address hidden>
Date: Thu Jan 7 22:36:30 2016 -0500

Add policy enforcement unittest to magnum_service

Add policy enforcement unittest for magnum_service to imporve
test coverage and code quality.

Change-Id: I9377f99a361572e985717d950e2812bf69fefb92
Related-Bug: #1520311

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-14: Related fix proposed to magnum (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/267377

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-18: Related fix merged to magnum (master)

Reviewed: https://review.openstack.org/267377
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=7ff50ef310db7a7c1db1fb6c102d9e71c4fb124d
Submitter: Jenkins
Branch: master

commit 7ff50ef310db7a7c1db1fb6c102d9e71c4fb124d
Author: houming-wang <email address hidden>
Date: Thu Jan 14 15:50:21 2016 +0800

Enable test_magnum_service_list_needs_admin

    After this patch Ie5a7d138cdb8b226686c189ae86f251c0a1329c8 was merged.
    Non-admin user do a 'magnum service-list' will raise a 403 exception.
    We can enable this test_magnum_service_list_needs_admin now.

Change-Id: Ic2a0b7c72a76e3561e9f36c801f3039971321b5b
Related-Bug: #1520311

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/magnum 2.0.0

This issue was fixed in the openstack/magnum 2.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.