OpenStack Compute (Nova)

nova does not handle glance_exception.Forbidden

Reported by Anthony Young on 2012-03-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Anthony Young

Bug Description

Nova does not correctly handle glance not-authorized errors, so nova image-list gives a 500 under these conditions.

Step to reproduce:

> run devstack
> modify glance/etc/policy.json so that all calls will be unauthorized: "default": [["role:asd"]]
> nova image-list

Expected:

An Unauthorized message

Actual:

{"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}
ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500)

n-api:

nova.api.openstack): TRACE: File "/opt/stack/nova/nova/api/openstack/compute/images.py", line 201, in detail
(nova.api.openstack): TRACE: **page_params)
(nova.api.openstack): TRACE: File "/opt/stack/nova/nova/image/glance.py", line 176, in detail
(nova.api.openstack): TRACE: for image_meta in image_metas:
(nova.api.openstack): TRACE: File "/opt/stack/nova/nova/image/glance.py", line 208, in _fetch_images
(nova.api.openstack): TRACE: _reraise_translated_exception()
(nova.api.openstack): TRACE: File "/opt/stack/nova/nova/image/glance.py", line 206, in _fetch_images
(nova.api.openstack): TRACE: images = fetch_func(**kwargs)
(nova.api.openstack): TRACE: File "/opt/stack/glance/glance/client.py", line 76, in get_images_detailed
(nova.api.openstack): TRACE: res = self.do_request("GET", "/images/detail", params=params)
(nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 58, in wrapped
(nova.api.openstack): TRACE: return func(self, *args, **kwargs)
(nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 420, in do_request
(nova.api.openstack): TRACE: headers=headers)
(nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 75, in wrapped
(nova.api.openstack): TRACE: return func(self, method, url, body, headers)
(nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 538, in _do_request
(nova.api.openstack): TRACE: raise exception.Forbidden(res.read())
(nova.api.openstack): TRACE: Forbidden: You are not authorized to complete this action.
(nova.api.openstack): TRACE: Details: 403 Forbidden
(nova.api.openstack): TRACE:
(nova.api.openstack): TRACE: Access was denied to this resource.
(nova.api.openstack): TRACE:
(nova.api.openstack): TRACE:
(nova.api.openstack): TRACE:

Download full text (5.8 KiB)

Ugh, this is because we are working around the issue. The client used to raise:
488 if exc_type in (glance_exception.NotAuthorized,
489 glance_exception.MissingCredentialError):

Seems like an additional line in nova/image/glance.py above adding in glance_exception.Forbidden should fix that.

Vish

On Mar 26, 2012, at 10:58 AM, Anthony Young wrote:

> Public bug reported:
>
> Nova does not correctly handle glance not-authorized errors, so nova
> image-list gives a 500 under these conditions.
>
> Step to reproduce:
>
>> run devstack
>> modify glance/etc/policy.json so that all calls will be unauthorized: "default": [["role:asd"]]
>> nova image-list
>
> Expected:
>
> An Unauthorized message
>
> Actual:
>
> {"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}
> ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500)
>
>
> n-api:
>
>
> nova.api.openstack): TRACE: File "/opt/stack/nova/nova/api/openstack/compute/images.py", line 201, in detail
> (nova.api.openstack): TRACE: **page_params)
> (nova.api.openstack): TRACE: File "/opt/stack/nova/nova/image/glance.py", line 176, in detail
> (nova.api.openstack): TRACE: for image_meta in image_metas:
> (nova.api.openstack): TRACE: File "/opt/stack/nova/nova/image/glance.py", line 208, in _fetch_images
> (nova.api.openstack): TRACE: _reraise_translated_exception()
> (nova.api.openstack): TRACE: File "/opt/stack/nova/nova/image/glance.py", line 206, in _fetch_images
> (nova.api.openstack): TRACE: images = fetch_func(**kwargs)
> (nova.api.openstack): TRACE: File "/opt/stack/glance/glance/client.py", line 76, in get_images_detailed
> (nova.api.openstack): TRACE: res = self.do_request("GET", "/images/detail", params=params)
> (nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 58, in wrapped
> (nova.api.openstack): TRACE: return func(self, *args, **kwargs)
> (nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 420, in do_request
> (nova.api.openstack): TRACE: headers=headers)
> (nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 75, in wrapped
> (nova.api.openstack): TRACE: return func(self, method, url, body, headers)
> (nova.api.openstack): TRACE: File "/opt/stack/glance/glance/common/client.py", line 538, in _do_request
> (nova.api.openstack): TRACE: raise exception.Forbidden(res.read())
> (nova.api.openstack): TRACE: Forbidden: You are not authorized to complete this action.
> (nova.api.openstack): TRACE: Details: 403 Forbidden
> (nova.api.openstack): TRACE:
> (nova.api.openstack): TRACE: Access was denied to this resource.
> (nova.api.openstack): TRACE:
> (nova.api.openstack): TRACE:
> (nova.api.openstack): TRACE:
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> https://bugs.launchpad.net/bugs/965540
>
> Title:
> nova does not handle glance_exception.Forbidden
>
> Status in...

Read more...

Changed in nova:
assignee: nobody → Anthony Young (sleepsonthefloor)

Fix proposed to branch: master
Review: https://review.openstack.org/5838

Changed in nova:
status: New → In Progress
Changed in nova:
importance: Undecided → Medium
milestone: none → essex-rc2
tags: added: essex-rc-potential

Reviewed: https://review.openstack.org/5838
Committed: http://github.com/openstack/nova/commit/42585a3b2559329f0e563bcd04ff6c8c19115439
Submitter: Jenkins
Branch: master

commit 42585a3b2559329f0e563bcd04ff6c8c19115439
Author: Anthony Young <email address hidden>
Date: Mon Mar 26 14:50:17 2012 -0700

    Handle Forbidden and NotAuthenticated glance exc.

     * Remove references to deprecated NotAuthorized exception
     * Handle Forbidden and NotAuthenticated
     * Fixes bug 965540

    Change-Id: Ib5eef3015239e0fafdb01c975a0f5d553f70519e

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-03-27
tags: removed: essex-rc-potential

Reviewed: https://review.openstack.org/5880
Committed: http://github.com/openstack/nova/commit/10f6a4297721b1f4ee3689835da52655efdf98b5
Submitter: Jenkins
Branch: milestone-proposed

commit 10f6a4297721b1f4ee3689835da52655efdf98b5
Author: Anthony Young <email address hidden>
Date: Mon Mar 26 14:50:17 2012 -0700

    Handle Forbidden and NotAuthenticated glance exc.

     * Remove references to deprecated NotAuthorized exception
     * Handle Forbidden and NotAuthenticated
     * Fixes bug 965540

    Change-Id: Ib5eef3015239e0fafdb01c975a0f5d553f70519e

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-rc2 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers