Ugh, this is because we are working around the issue.  The client used to raise:
488     if exc_type in (glance_exception.NotAuthorized,
489                     glance_exception.MissingCredentialError):

Seems like an additional line in nova/image/glance.py above adding in glance_exception.Forbidden should fix that.

Vish

On Mar 26, 2012, at 10:58 AM, Anthony Young wrote:

> Public bug reported:
> 
> Nova does not correctly handle glance not-authorized errors, so nova
> image-list gives a 500 under these conditions.
> 
> Step to reproduce:
> 
>> run devstack
>> modify glance/etc/policy.json so that all calls will be unauthorized:  "default": [["role:asd"]]
>> nova image-list
> 
> Expected:
> 
> An Unauthorized message
> 
> Actual:
> 
> {"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}
> ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500)
> 
> 
> n-api:
> 
> 
> nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/api/openstack/compute/images.py", line 201, in detail
> (nova.api.openstack): TRACE:     **page_params)
> (nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/image/glance.py", line 176, in detail
> (nova.api.openstack): TRACE:     for image_meta in image_metas:
> (nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/image/glance.py", line 208, in _fetch_images
> (nova.api.openstack): TRACE:     _reraise_translated_exception()
> (nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/image/glance.py", line 206, in _fetch_images
> (nova.api.openstack): TRACE:     images = fetch_func(**kwargs)
> (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/client.py", line 76, in get_images_detailed
> (nova.api.openstack): TRACE:     res = self.do_request("GET", "/images/detail", params=params)
> (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 58, in wrapped
> (nova.api.openstack): TRACE:     return func(self, *args, **kwargs)
> (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 420, in do_request
> (nova.api.openstack): TRACE:     headers=headers)
> (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 75, in wrapped
> (nova.api.openstack): TRACE:     return func(self, method, url, body, headers)
> (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 538, in _do_request
> (nova.api.openstack): TRACE:     raise exception.Forbidden(res.read())
> (nova.api.openstack): TRACE: Forbidden: You are not authorized to complete this action.
> (nova.api.openstack): TRACE: Details: 403 Forbidden
> (nova.api.openstack): TRACE:
> (nova.api.openstack): TRACE: Access was denied to this resource.
> (nova.api.openstack): TRACE:
> (nova.api.openstack): TRACE:
> (nova.api.openstack): TRACE:
> 
> ** Affects: nova
>     Importance: Undecided
>         Status: New
> 
> -- 
> You received this bug notification because you are subscribed to
> OpenStack Compute (nova).
> https://bugs.launchpad.net/bugs/965540
> 
> Title:
>  nova does not handle glance_exception.Forbidden
> 
> Status in OpenStack Compute (Nova):
>  New
> 
> Bug description:
>  Nova does not correctly handle glance not-authorized errors, so nova
>  image-list gives a 500 under these conditions.
> 
>  Step to reproduce:
> 
>> run devstack
>> modify glance/etc/policy.json so that all calls will be unauthorized:  "default": [["role:asd"]]
>> nova image-list
> 
>  Expected:
> 
>  An Unauthorized message
> 
>  Actual:
> 
>  {"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}
>  ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500)
> 
> 
>  n-api:
> 
> 
>  nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/api/openstack/compute/images.py", line 201, in detail
>  (nova.api.openstack): TRACE:     **page_params)
>  (nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/image/glance.py", line 176, in detail
>  (nova.api.openstack): TRACE:     for image_meta in image_metas:
>  (nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/image/glance.py", line 208, in _fetch_images
>  (nova.api.openstack): TRACE:     _reraise_translated_exception()
>  (nova.api.openstack): TRACE:   File "/opt/stack/nova/nova/image/glance.py", line 206, in _fetch_images
>  (nova.api.openstack): TRACE:     images = fetch_func(**kwargs)
>  (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/client.py", line 76, in get_images_detailed
>  (nova.api.openstack): TRACE:     res = self.do_request("GET", "/images/detail", params=params)
>  (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 58, in wrapped
>  (nova.api.openstack): TRACE:     return func(self, *args, **kwargs)
>  (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 420, in do_request
>  (nova.api.openstack): TRACE:     headers=headers)
>  (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 75, in wrapped
>  (nova.api.openstack): TRACE:     return func(self, method, url, body, headers)
>  (nova.api.openstack): TRACE:   File "/opt/stack/glance/glance/common/client.py", line 538, in _do_request
>  (nova.api.openstack): TRACE:     raise exception.Forbidden(res.read())
>  (nova.api.openstack): TRACE: Forbidden: You are not authorized to complete this action.
>  (nova.api.openstack): TRACE: Details: 403 Forbidden
>  (nova.api.openstack): TRACE:
>  (nova.api.openstack): TRACE: Access was denied to this resource.
>  (nova.api.openstack): TRACE:
>  (nova.api.openstack): TRACE:
>  (nova.api.openstack): TRACE:
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/965540/+subscriptions