Glance

v2 api returns 200 with blank response (no image data) for download_image policy

Bug #1326781 reported by Abhishek Kekane
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Undecided
Juan Manuel Ollé
Glance 2014.2 "juno"

Bug Description

v2 api returns 200 with blank response (no image data) for download_image policy

If you have enabled download_image policy in policy.json to "role:admin" then it should return 403 error if user other admin role is calling image-download api.
Presently it is returning 200 with blank response (no image data). If you enable cache filter, then it returns 403 error correctly.

Steps to reproduce:

1. Ensure following flavor is set in glance-api.conf
   [paste-deploy]
   flavor = keystone+cachemanagement

2. Disable cache
   a. Open /etc/glance/glance-api-paste.ini file.
   b. Remove cahce from following sections.
     [pipeline:glance-api-caching]
     [pipeline:glance-api-cachemanagement]
     [pipeline:glance-api-keystone+caching]
     [pipeline:glance-api-keystone+cachemanagement]
     [pipeline:glance-api-trusted-auth+cachemanagement]
   c. Save and exit from file.
   d. Restart the g-api (glance-api) service.

3. Ensure that 'download_image' policy is set in policy.json
   "download_image": "role:admin"

4. Download image using v2 api for role other than admin
   a. source openrc normal_user normal_user
   b. glance --os-image-api-version 2 image-download <image-id>

   Output:
   -------
   ''

   glance-api screen log:
   ----------------------
 2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] Traceback (most recent call last):
   File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 395, in handle_one_response
  for data in result:
   File "/mnt/stack/glance/glance/notifier.py", line 228, in get_data
  for chunk in self.image.get_data():
   File "/mnt/stack/glance/glance/api/policy.py", line 233, in get_data
  self.policy.enforce(self.context, 'download_image', {})
   File "/mnt/stack/glance/glance/api/policy.py", line 143, in enforce
  exception.Forbidden, action=action)
   File "/mnt/stack/glance/glance/api/policy.py", line 131, in _check
  return policy.check(rule, target, credentials, *args, **kwargs)
   File "/mnt/stack/glance/glance/openstack/common/policy.py", line 183, in check
  raise exc(*args, **kwargs)
 Forbidden: You are not authorized to complete this action.
 2014-06-05 12:45:00.711 24883 INFO glance.wsgi.server [-] 10.146.146.4 - - [05/Jun/2014 12:45:00] "GET /v2/images/63826dea-e281-4ffe-821b-f598c747ba54/file HTTP/1.1" 200 0 0.062499

Tags: ntt
Juan Manuel Ollé (juan-m-olle)
Changed in glance:
status: New → Confirmed
assignee: nobody → Juan Manuel Ollé (juan-m-olle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/99193

Changed in glance:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/99193
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=5cf0659d53eba85f7591565b7f18714e39c1713a
Submitter: Jenkins
Branch: master

commit 5cf0659d53eba85f7591565b7f18714e39c1713a
Author: Juan Manuel Olle <email address hidden>
Date: Tue Jun 10 12:51:16 2014 -0300

    Fixes v2 return status on unauthorized download

    If a user is not allowed to download an image because of a policy,
    glance v2 API responds with a HTTP 200 status and no data instead
    of HTTP 403 for no cache only.
    The problem is that get_data implementation for notification
    proxy is a generator, this situation delays the other proxies
    get_data calls (including the policy proxy) for the first time
    data is retrieved.
    Hence, there is a delay in enforcing policy, so 200 is sent before
    the API gets the chance to catch the policy exception.

    DocImpact
    Closes-Bug: #1326781
    Change-Id: I1e50a069a6b7f9eed7160cd5908a5fa30274e227

Changed in glance:
status: In Progress → Fix Committed
Russell Bryant (russellb)
Changed in glance:
milestone: none → juno-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.