'upload-image' policy blocks the image-import API
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Bhagyashri Shewale |
Bug Description
There are two methods to create images:-
Method A)
POST /v2/images
PUT /v2/images/
Method B)
POST /v2/images
PUT /v2/images/
POST /v2/images/
Glance community has long term plan to restrict Method A for normal user to create the image.
The traditional image upload API (PUT /v2/images/
If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/
The 'upload-image' and 'import image' shares same policy.
Steps to reproduce:
Case 1: Restrict the normal user to upload-image
1. Modify the /etc/glance/
2. Create the image
$ glance image-create --name test --property test=tyest --file
spec_
+----
| Property | Value |
+----
| checksum | None |
| container_format | bare |
| created_at | 2017-11-
| disk_format | qcow2 |
| id | d719c5fb-
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| owner | d2b9f7372d2e481
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| test | tyest |
| updated_at | 2017-11-
| virtual_size | None |
| visibility | shared |
+----
403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
b219-
(HTTP 403)
Case 2: Now normal user wants to create the image using image-create-
$ glance image-create-
spec_
property os_distro=xyz
+----
| Property | Value |
+----
| checksum | None |
| container_format | bare |
| created_at | 2017-11-
| disk_format | raw |
| id | 7e0bc1c4-
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| os_distro | xyz |
| owner | d2b9f7372d2e481
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-11-
| virtual_size | None |
| visibility | shared |
+----
403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
403)
So to overcome this we will need to add the separate policy for import image in policy.json
Changed in glance: | |
assignee: | nobody → Bhagyashri Shewale (bhagyashri-shewale) |
description: | updated |
Changed in glance: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in glance: | |
milestone: | none → queens-2 |
Fix proposed to branch: master /review. openstack. org/524060
Review: https:/