Public bug reported:
Api v2: GET /images/<uuid> on an unowned, public image returns a 403 if
show_image_direct_url is true
When doing a show on an image in v2 of the api, if the config value for
‘show_image_direct_url’ is set to True, then a 403 is returned for
images not owned by the user.
$ glance --os-image-api-version 2 image-show
b26590c4-d7d8-4348-a8d9-664cd7773f5c
Request returned failure status.
403 Forbidden
You are not permitted to modify locations for this image.
(HTTP 403)
This occurs because glance/api/authorization.py is using the ImmutableLocations
proxy for the locations field on the image and the api code is trying to
manipulate this object.
In glance/api/v2/images.py:
586 if CONF.show_image_direct_url and image.locations:
587 # Choose best location configured strategy
588 best_location = (
589 location_strategy.choose_best_location(image.locations))
590 image_view['direct_url'] = best_location['url']
The ‘choose_best_location’ function is calling ‘get_ordered_locations’
which is attempting to do a deep copy of the ImmutableLocation object
which will eventually try to call ‘append’, resulting in a Forbidden
being raised. Printing the system stack before raising the Forbidden
results in this stack trace: http://paste.openstack.org/show/72301/
** Affects: glance
Importance: High
Assignee: Alex Meade (alex-meade)
Status: In Progress
** Summary changed:
- Api v2: show_image_direct_url can cause unwarranted 403s when performing aGET
/images/<uuid>
+ Api v2: show_image_direct_url can cause unwarranted 403s when performing a
GET /images/<uuid>
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1287888
Title:
Api v2: show_image_direct_url can cause unwarranted 403s when
performing a GET /images/<uuid>
Status in OpenStack Image Registry and Delivery Service (Glance):
In Progress
Bug description:
Api v2: GET /images/<uuid> on an unowned, public image returns a 403
if show_image_direct_url is true
When doing a show on an image in v2 of the api, if the config value
for ‘show_image_direct_url’ is set to True, then a 403 is returned for
images not owned by the user.
$ glance --os-image-api-version 2 image-show
b26590c4-d7d8-4348-a8d9-664cd7773f5c
Request returned failure status.
403 Forbidden
You are not permitted to modify locations for this image.
(HTTP 403)
This occurs because glance/api/authorization.py is using the
ImmutableLocations proxy for the locations field on the image and the api code
is trying to manipulate this object.
In glance/api/v2/images.py:
586 if CONF.show_image_direct_url and image.locations:
587 # Choose best location configured strategy
588 best_location = (
589
location_strategy.choose_best_location(image.locations))
590 image_view['direct_url'] = best_location['url']
The ‘choose_best_location’ function is calling ‘get_ordered_locations’
which is attempting to do a deep copy of the ImmutableLocation object
which will eventually try to call ‘append’, resulting in a Forbidden
being raised. Printing the system stack before raising the Forbidden
results in this stack trace: http://paste.openstack.org/show/72301/
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1287888/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
