Friday, 2021-02-12

openstackgerrit	Lance Bragstad proposed openstack/glance master: Cleanup remaining tenant terminology in glance API docs https://review.opendev.org/c/openstack/glance/+/775299	00:07
*** zzzeek has quit IRC		00:08
*** zzzeek has joined #openstack-glance		00:10
*** rcernin has quit IRC		02:19
*** rcernin has joined #openstack-glance		02:33
*** rcernin has quit IRC		02:42
*** rcernin has joined #openstack-glance		02:42
*** udesale has joined #openstack-glance		03:25
*** zzzeek has quit IRC		03:57
*** zzzeek has joined #openstack-glance		03:58
*** k_mouza has joined #openstack-glance		04:06
*** k_mouza has quit IRC		04:11
*** gyee has quit IRC		04:30
*** zzzeek has quit IRC		04:43
openstackgerrit	Abhishek Kekane proposed openstack/glance_store stable/victoria: Adjust requirements and lower-constraints https://review.opendev.org/c/openstack/glance_store/+/775190	04:44
*** zzzeek has joined #openstack-glance		04:45
*** k_mouza has joined #openstack-glance		04:54
openstackgerrit	Merged openstack/glance master: Uncap PrettyTable https://review.opendev.org/c/openstack/glance/+/775141	04:56
*** k_mouza has quit IRC		04:58
*** udesale_ has joined #openstack-glance		05:09
*** udesale__ has joined #openstack-glance		05:10
*** udesale has quit IRC		05:11
*** udesale_ has quit IRC		05:14
*** zzzeek has quit IRC		05:15
*** zzzeek has joined #openstack-glance		05:16
*** zzzeek has quit IRC		06:03
*** zzzeek has joined #openstack-glance		06:04
*** k_mouza has joined #openstack-glance		06:07
*** k_mouza has quit IRC		06:11
*** zzzeek has quit IRC		06:13
*** zzzeek has joined #openstack-glance		06:14
*** nikparasyr has joined #openstack-glance		06:21
*** rchurch has quit IRC		06:24
*** zzzeek has quit IRC		06:24
*** zzzeek has joined #openstack-glance		06:30
*** zzzeek has quit IRC		06:37
*** zzzeek has joined #openstack-glance		06:37
openstackgerrit	Merged openstack/glance master: Remove unused option "owner_is_tenant" https://review.opendev.org/c/openstack/glance/+/763920	06:43
*** zzzeek has quit IRC		07:01
*** zzzeek has joined #openstack-glance		07:02
*** rcernin has quit IRC		07:37
*** zzzeek has quit IRC		07:44
*** zzzeek has joined #openstack-glance		07:46
*** ralonsoh has joined #openstack-glance		07:50
*** zzzeek has quit IRC		08:05
*** zzzeek has joined #openstack-glance		08:07
*** rcernin has joined #openstack-glance		08:18
*** zzzeek has quit IRC		08:43
*** zzzeek has joined #openstack-glance		08:46
*** zzzeek has quit IRC		08:55
*** zzzeek has joined #openstack-glance		08:56
*** zzzeek has quit IRC		09:05
*** zzzeek has joined #openstack-glance		09:07
*** zzzeek has quit IRC		09:19
*** zzzeek has joined #openstack-glance		09:21
*** rcernin has quit IRC		09:55
*** k_mouza has joined #openstack-glance		10:02
*** rcernin has joined #openstack-glance		10:09
*** rajivmucheli has joined #openstack-glance		10:11
*** rcernin has quit IRC		10:23
*** k_mouza has quit IRC		10:56
*** k_mouza has joined #openstack-glance		10:56
*** k_mouza has quit IRC		11:02
*** zzzeek has quit IRC		11:42
*** zzzeek has joined #openstack-glance		11:45
*** rcernin has joined #openstack-glance		11:48
*** k_mouza has joined #openstack-glance		11:53
*** udesale_ has joined #openstack-glance		12:02
*** udesale__ has quit IRC		12:04
*** rcernin has quit IRC		12:08
*** rcernin has joined #openstack-glance		12:22
*** udesale__ has joined #openstack-glance		12:44
*** udesale_ has quit IRC		12:46
*** rcernin has quit IRC		12:53
*** k_mouza has quit IRC		13:04
*** k_mouza has joined #openstack-glance		13:21
*** rcernin has joined #openstack-glance		13:27
openstackgerrit	Abhishek Kekane proposed openstack/glance master: Expand tasks database table to add more columns https://review.opendev.org/c/openstack/glance/+/763739	13:43
openstackgerrit	Abhishek Kekane proposed openstack/glance master: Utilize newly added tasks database fields https://review.opendev.org/c/openstack/glance/+/774615	13:43
openstackgerrit	Abhishek Kekane proposed openstack/glance master: WIP: New API /v2/images/{id}/tasks to show tasks associated with image https://review.opendev.org/c/openstack/glance/+/774830	13:43
*** zzzeek has quit IRC		13:48
*** zzzeek has joined #openstack-glance		13:49
*** zzzeek has quit IRC		13:59
*** zzzeek has joined #openstack-glance		14:04
*** sangeet has quit IRC		14:04
*** sangeet has joined #openstack-glance		14:10
sangeet	I have glance (Train) deployed as wsgi with Nginx. I am not able to upload images bigger than 5GB via cli (--file option). I get "Command error: HTTP 504 Gateway Time-out: nginx". But in glance log I see traceback with error " ERROR glance.common.wsgi Got error from Swift: put_object('glance', 'e7b58c3e-3894-46bb-b8a8-a3798ca6446c-00023', ...) failure and no ability to reset contents for reupload." Please help	14:10
*** rajivmucheli has quit IRC		14:17
*** rcernin has quit IRC		14:30
dansmith	gmann: what's the preferred way to signal that a user doesn't have access to a subresource? Meaning:	15:28
dansmith	GET /v2/images/$image_id/tasks	15:28
dansmith	if the user doesn't have access to $image_id, shouldn't we return 404 for this ^ ?	15:28
gmann	dansmith: yes, 404 is recommended as 403 can tell them it exist and they do not have access but 404 hide that info	15:29
dansmith	yeah, okay thanks	15:30
openstackgerrit	Merged openstack/glance-specs master: New Image API /v2/images/{id}/tasks for task information https://review.opendev.org/c/openstack/glance-specs/+/763740	15:31
*** lbragstad_ has joined #openstack-glance		15:46
*** lbragstad has quit IRC		15:50
*** nikparasyr has left #openstack-glance		15:53
openstackgerrit	Merged openstack/glance master: trivial: Fix a typo in devstack plugin.sh https://review.opendev.org/c/openstack/glance/+/775276	16:04
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	16:17
lbragstad_	dansmith gmann fwiw - i think we took a different approach in keystone	16:25
*** lbragstad_ is now known as lbragstad		16:25
*** k_mouza has quit IRC		16:26
lbragstad	i think we check explicitly if a user has access to something, if they don't we return a 403, regardless of the resource existing	16:26
lbragstad	we return a 404 if the user is authorized to access something, but it doesn't exist	16:26
lbragstad	https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/686305/48/keystone_tempest_plugin/tests/rbac/v3/test_domain.py#187 is an example of the former	16:27
lbragstad	https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/686305/48/keystone_tempest_plugin/tests/rbac/v3/test_domain.py#125 is an example of the later	16:27
dansmith	so they get a 403 if they ask for something that doesn't exist, or something they don't have access to right?	16:27
lbragstad	latter*	16:27
dansmith	how do you know if something doesn't exist that they _do_ have access to? :)	16:27
dansmith	or rather, how can someone have access to something that doesn't exist	16:29
lbragstad	backing up a bit	16:32
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/api/domains.py#L37 is where we populate the target data	16:32
lbragstad	and if the domain doesn't exist the target is empty - which fails with the domain check in the policy https://github.com/openstack/keystone/blob/master/keystone/common/policies/domain.py#L44	16:32
dansmith	that means if the domain doesn't exist you can't prove they have access, so 403 right?	16:33
lbragstad	yes	16:34
lbragstad	we have some of this captured in an old bug report because we were bleeding existence checks depending on if a 404 or a 403 was returned	16:35
lbragstad	and it allowed someone to fish for resources they didn't have access to	16:35
dansmith	lbragstad: for context, the code I was reviewing was returning an empty list of sub resources in both cases of "the base resource does not exist" and "the base resource is not allowed to the current user"	16:35
lbragstad	but - the way you phrase "how can someone have access to something that doesn't exist" is a good point	16:36
dansmith	so 403 or 404 would be better, but it seems like 404 is the preferred thing elsewhere.. I didn't know keystone did that differently though	16:36
dansmith	lbragstad: right, I get the 403-if-not-exists, but I don't see how you can return 404 if they have access to the base resource, but it doesn't exist	16:36
lbragstad	i'm having a hard time understanding the last part of ^	16:38
lbragstad	shouldn't we return a 404 when someone is authorized to do something, but the resource doesn't exist?	16:39
dansmith	well, you said "we return a 404 if the user is authorized to access something, but it doesn't exist"	16:39
lbragstad	oh	16:39
lbragstad	ok - so here	16:40
lbragstad	https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/686305/48/keystone_tempest_plugin/tests/rbac/v3/test_domain.py#103	16:40
lbragstad	technical system-administrators represent god-mode=True, right?	16:40
lbragstad	in that case we return a 404 because we know they're technically authorized to view any domain in the deployment, but the one they are looking for doesn't exist	16:41
dansmith	well, I dunno how you factor that in.. super admins are a bit of a different thing	16:41
dansmith	sure, that's fine	16:41
dansmith	lbragstad: here's the code I was reviewing, for context: https://review.opendev.org/c/openstack/glance/+/774830/2/glance/api/v2/images.py	16:43
dansmith	this is /v2/images/$image_id/tasks	16:43
dansmith	I don't think they have anything that will have short-circuited if $image_id doesn't exist, and if they did, he wouldn't have written that code I think	16:44
lbragstad	ok - so iiuc that would be calling https://github.com/openstack/glance/blob/master/glance/api/policy.py#L120	16:47
lbragstad	from a policy perspective	16:47
dansmith	I don't even know that means.. checking to see if image get is possible ever for that user?	16:48
dansmith	but I guess that's the answer to "is authorized to see something that doesn't exist" :)	16:50
dansmith	like x perms on the directory or something	16:50
lbragstad	if i'm reading this right, which might not be the case, the policy will enforce an empty target if the database returns a NotFound	16:52
dansmith	right, but what is the point of that?	16:52
dansmith	just so you can override the result of a nonexistent image with 403 instead of 404?	16:52
dansmith	because that seems like a bad thing if one cloud gives you a 404 for missing images and another 403	16:53
lbragstad	because their policies are different you mean	16:53
lbragstad	or their policies could potentially be different because of override behavior	16:54
dansmith	right, one cloud decides that show on a nonexistent image should be 403 for everyone, where another cloud decides it should be 404	16:55
lbragstad	i see what you mean	16:56
dansmith	you write your client to poll for deletion until you get 404, and that breaks when you move to another cloud where that never happens	16:57
dansmith	or you report "you don't have access to this thing, but it definitely exists, because I didn't get a 404" to the user	16:57
gmann	yeah that is ^^ main issue and info leak.	16:58
dansmith	gmann: but because of that override, it might not exist	16:58
dansmith	can be different on two different glances	16:58
dansmith	because that policy override, AFAICT	16:58
dansmith	the converse is the info leak, where we return 403 for a thing that does exist, which tells the user it's there	16:59
gmann	so if image exist then check the policy right	16:59
dansmith	gmann: but also if the image doesn't exist, check the policy, which could return 403 instead of 404	16:59
lbragstad	the second case you just mentioned dansmith is what we try and prevent in keystone	16:59
lbragstad	(specifically, we don't want to leak information)	17:00
dansmith	lbragstad: well, it's what returning 404 for unauthorized does,	17:00
dansmith	but if you return 403 for "does not exist" and "unauthorized" that's the same difference, it's just upside down, IMHO	17:00
*** udesale__ has quit IRC		17:01
lbragstad	i found a separate example in keystone that doesn't use the domain API	17:02
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/tests/protection/v3/test_projects.py#L696-L710	17:02
dansmith	I think that's in line with your always-403 strategy	17:03
lbragstad	that test is written running as a domain administrator	17:03
dansmith	I think it's okay to pick "default to 404" or "default to 403" -- both avoid the leak, but IMHO 404 is more correct	17:04
lbragstad	ok	17:04
dansmith	but you probably also have more complex permission structures and relations than we do	17:04
gmann	well 404 can be non-exist or url does not exist. but 403 is clear that you do not have access to things which might or might not exist	17:04
gmann	yeah i feel 403 in all cases is more info leak then 404	17:04
dansmith	agreed, but if you're consistent about always 403 then it's probably not exposing anything too badly	17:05
dansmith	but from a client design perspective,	17:05
dansmith	I think 403 means "you need to do something to gain access" which is confusing if the thing really doesn't exist	17:05
dansmith	whereas 404 promises less to the user	17:05
dansmith	"this thing doesn't exist, but it might just not exist FOR YOU"	17:05
lbragstad	yeah...	17:06
lbragstad	gdi	17:06
gmann	true	17:06
dansmith	but what seems to be the case here for glance is... "ask your cloud administrator how they have configured their policy to know what this really means"	17:06
dansmith	I think that's a 6xx error code: "601: Call your operator"	17:07
lbragstad	i've seen that statement sprinkled through the docs	17:07
dansmith	or maybe 602: Software engineer failed you here	17:07
lbragstad	ok - so for glance, can we pursue the 404-always strategy?	17:09
dansmith	I would think we should be headed in that direction, yeah	17:09
dansmith	but glance does also have some finer-grained permissions which may now depend on people being able to see something after it's shared or something, I dunno	17:10
dansmith	I bet rosmaita knows :)	17:10
dansmith	but definitely for anything new, the goal should be default to 404, IMHO	17:10
lbragstad	thinking back on the keystone example again	17:12
lbragstad	we didn't want to expose information outside of the domain (for domain users) because we didn't want to violate tenancy at that level	17:12
lbragstad	and that drove us to the 403-always strategy	17:13
dansmith	it really comes down to what you do for nonexistent things.. if you report 403 for nonexistent things you should have access to, then you can't deduce whether something exists or not from the 403	17:13
dansmith	if you do return 404 in those cases, but 403 for unauthorized, then I think you're exposing existence	17:14
dansmith	that's why I said consistency and what you promise to the user matters	17:14
lbragstad	but - i suppose we could have implemented the 404-always strategy if we 1.) check if the resource existed - if not 404 (this is normal) 2.) check if the resource exists, it does, return 404 if policy enforcement returns a 403	17:14
dansmith	I think that exposes more than you want,	17:15
dansmith	unless you know that this user is granted enough permission to know if something exists within their domain or whatever	17:15
dansmith	that doesn't really exist for nova at least, and I kinda doubt for glance too	17:15
dansmith	but that's why I said keystone may have situations where you're an admin for your group, so it's okay to know if something exists that you can't access within that group	17:15
lbragstad	yeah - so #1 would pull the resource, check if the user has access, if they don't policy would return a 403, if they don't it would return a 404(?)	17:15
dansmith	but you don't want to expose that info across pepsi/coke	17:16
dansmith	I think it's 200 if authorized and exists, else 404	17:16
lbragstad	yea	17:16
dansmith	like email, the internet was a much nicer place when they came up with 401, 403, etc	17:17
dansmith	and like I said,	17:17
dansmith	if you're in the same tenant, but your user doesn't have access, 403 is probably fine	17:17
dansmith	you're telling the pepsi marketing team that they can't access pepsi HR files	17:18
dansmith	but you don't want to tell coke anything about that	17:18
lbragstad	in which case coke should see 404s, is what you're saying	17:21
dansmith	right total lack of acknowledging anything "huh? images? what are images? I dispense kitkat bars here"	17:22
* lbragstad nods		17:22
lbragstad	makes sense	17:22
dansmith	the easier thing though, is to just play dumb with everyone,	17:22
dansmith	and not introduce the middle layer of 403-if-you're-friendly	17:22
lbragstad	we should have taken that approach in keystone	17:24
openstackgerrit	Rajat Dhasmana proposed openstack/glance_store master: Validate volume type during volume create https://review.opendev.org/c/openstack/glance_store/+/774703	17:28
gmann	nice example	17:28
openstackgerrit	Rajat Dhasmana proposed openstack/glance_store master: Validate volume type during volume create https://review.opendev.org/c/openstack/glance_store/+/774703	17:33
lbragstad	dansmith gmann ok - i tried to distill things in a bug report https://bugs.launchpad.net/keystone/+bug/1915540 so we at least document it	17:36
openstack	Launchpad bug 1915540 in OpenStack Identity (keystone) "HTTP 403s are more confusing than HTTP 404s when evaluating authorization of a non-existent resource" [Undecided,New]	17:36
gmann	lbragstad: +1, thanks. may be we can document it in api-wg repo guidelines	17:37
dansmith	yeah	17:37
*** k_mouza has joined #openstack-glance		17:38
dansmith	I guess I thought we had the default-to-404 approach codified as the goal already, openstack-wide	17:38
dansmith	I was asking gmann instead of looking, because I rudely depend on him instead of doing my own research :)	17:38
gmann	we might have there. i just remember as I had same question/discussion form neutron (amotoki) when I was in Tokyo :)	17:39
*** gmann is now known as gmann_afk		17:40
*** k_mouza has quit IRC		17:41
lbragstad	are these still the guidelines? https://specs.openstack.org/openstack/api-wg/guidelines/http/response-codes.html	17:45
lbragstad	or have they moved somewhere else?	17:45
dansmith	seems legit, but yeah, surprised to not see anything in there about this,	17:49
dansmith	especially since I thought this had been discussed a lot	17:50
lbragstad	yeah - same here	17:54
jokke	dansmith: lbragstad: Could you point me to where this 403/404 confusion happens? It should always be 404 for the very reasons dansmith laid down and that has been the approach we've been living on. So if we're returning 403 for non-existing resource, that's a bug breaking our API and we should fix it	18:10
dansmith	jokke: it's not that we _are_ returning 403, I think it's that an operator could configure it that way, because we run enforce on a NotFound	18:11
dansmith	lbragstad linked above, let me find it	18:11
dansmith	jokke: https://github.com/openstack/glance/blob/master/glance/api/policy.py#L120	18:12
dansmith	unless that's doing something other than what we expect,	18:12
dansmith	it seems like that offers the opportunity for a policy rule that would return something like 401 or 403 instead of 404 in the case where we fail to look up an instance	18:12
dansmith	jokke: and most of the discussion above was about keystone, FWIW because lbragstad is lonely and hanging out in the glance channel :)	18:13
jokke	yeah, I got that much ... I was just wondering how is that a case, but I had no idea we would do that. So the enforce is actually raising Forbidden in that case?	18:22
jokke	as from that code we are handling the NotFound exception, but the raise would push forward what ever exception the enforce() raised rather than the NotFound we caught, right?	18:23
dansmith	jokke: I think it would if the operator wrote a rule that denied access to a non-existent target object	18:23
dansmith	right	18:23
dansmith	I don't know why else that enforce would be there, other than to allow the operator to write such a rule, which I expect is just legacy from someone wanting to be able to override that behavior	18:24
jokke	Me neither, and I'm not sure why do we allow that in the first place	18:25
dansmith	because some cloud vendor wanted it at some point I'm sure :)	18:25
jokke	but, I can't recall at least writing nor reviewing that code so I have no idea of the intentions of it	18:25
dansmith	but yeah, I dunno how you feel about just removing it, vs deprecating it	18:25
dansmith	we could try..except around it and then just warn that this isn't supported anymore, or you could just remove it and reno it	18:26
jokke	dansmith: that's probably it "No but our security guy, yeah that on left with folio hat, told us that this is the right way we need to do it" :P	18:26
dansmith	jokke: right, obviously 403 is more "secure" than 404 :P	18:26
dansmith	I can remove it and see if any tests fail	18:27
jokke	sounds like a good start.	18:27
jokke	Maybe we should shoot mail to the list and check if we'd be breaking anyone removing it. If no-one yells hard, get rid of it	18:28
dansmith	glance.tests.unit.v2.test_images_resource.TestImagesControllerPolicies.test_show_unauthorized	18:28
dansmith	https://github.com/openstack/glance/blob/2c893fbd80d0241fad2515221b61266ced12f92d/glance/tests/unit/v2/test_images_resource.py#L3480-L3485	18:29
jokke	uuh so we even test that it does the stuupid thing so we've definitely been deliberate about it	18:29
dansmith	yeah	18:29
jokke	gr8	18:29
dansmith	been there a looooong time: https://review.opendev.org/c/openstack/glance/+/11412	18:30
jokke	thought so	18:31
jokke	almost from the nova times	18:31
dansmith	I'll remove the test too and push it up for comment I guess	18:31
jokke	That almost looks like test that was written because it was the behaviour out of the test case rather than intentionally make sure we do forbidden on notFound	18:36
dansmith	yeah could be, it doesn't have a comment that says "this is definitely how it should be"	18:37
jokke	As it's not mentioned anywhere that it's the desired behaviour, it's all about "This is mess, all over the place and not consistent"	18:37
dansmith	yeah, a common mistake when adding tests after code.. testing the code and not the desired behavior	18:37
jokke	happens _a_lot_ over here	18:38
jokke	People adding "test coverage" not reading docs or checking what the intended behaviour is, just testing that " True == True"	18:38
dansmith	this one too: https://github.com/openstack/glance/blob/2c893fbd80d0241fad2515221b61266ced12f92d/glance/tests/functional/v2/test_images.py#L1943-L1943	18:38
dansmith	atually,	18:39
dansmith	looking at that test,	18:39
dansmith	I think we probably are always returning 403,	18:39
dansmith	for any get_image rule that looks at the image properties, we'd always fail that enforce since we don't pass an object	18:40
dansmith	that test doesn't intend to test this behavior, but fails because it can't check {}['owner']	18:40
dansmith	lbragstad: right?	18:40
jokke	https://docs.openstack.org/api-ref/image/v2/index.html?expanded=list-image-members-detail#list-image-members we should be returning 404	18:47
jokke	Very clear in the API docs if tenant that is not a member tries to list the members, they will get 404	18:47
dansmith	that's good	18:48
dansmith	if we're always returning 403 right now, then less good in that it's quite likely that people will notice	18:49
jokke	yeah, well it looks like we're returning forbidden at least for the image that exists, not sure if the image does not exists	18:50
dansmith	oh duh, right I see	18:51
dansmith	we're probably getting notfound from the db layer because of permissions,	18:51
dansmith	but that's getting converted to 403 in the middle so that the http user never sees it	18:51
jokke	So it might be that the idea has been right, to homogenize those two, _but_ the implementation has been left half way and instead of returning Fobidden to the client, we'd supposed to translate that to NotFound in the API layer	18:52
*** gmann_afk is now known as gmann		18:52
dansmith	I think it's the other way,	18:52
dansmith	we're raising notfound from the lower layer,	18:52
jokke	ohh	18:52
jokke	crap	18:52
dansmith	but we're translating that to 403 when we shouldn't	18:52
jokke	that's stupid	18:53
jokke	Like I'd be ok with that if it was the actual documented API behaviour, like fine. But the fact that we're translating the response to something which really doesn't make sense, test it and then document it in the opposite way ... ffs	18:54
dansmith	sounds like keystone has intentionally gone that direction, which if you're consistent, isn't terrible, but I think it's less desirable from the client perspective because you end up doing things like "delete and poll until 403" instead of 404	18:58
jokke	Ohh we're even better	18:58
jokke	IIRC we just happily tell you the delete request was successful, even if you do delete on resource that was already deleted	18:59
openstackgerrit	Dan Smith proposed openstack/glance master: RFC: Stop raising 403 when image is not found https://review.opendev.org/c/openstack/glance/+/775435	18:59
dansmith	jokke: ^ for comments and discussion	18:59
dansmith	bug probably needs more words and link to the api docs	18:59
dansmith	surely we have a test somewhere that makes sure we get a 404 for a non-existent image though	19:09
dansmith	so there must be something else going on here	19:09
dansmith	maybe only if we fetch the image as part of a call other than a direct show or something	19:10
jokke	I'm wondering that too	19:11
jokke	have no idea tbh	19:11
dansmith	I get a 404 from devstack with a nonexistent image id, so... it's clearly not always a 403	19:11
*** k_mouza has joined #openstack-glance		19:13
jokke	;)	19:13
jokke	This is getting better	19:13
jokke	Yeah, I'm pretty sure you should most of the times get 404	19:13
jokke	Just worried that it's clearly not always	19:14
dansmith	yeah, so I can make my policy such that I get a 403 for a non-existent image:	19:14
dansmith	dan@guaranine:~$ cat /etc/glance/policy.json	19:15
dansmith	{"get_image": "false"}	19:15
dansmith	dan@guaranine:~$ glance image-show 39398e72-ff56-40ca-878f-43c58c437634	19:15
dansmith	HTTP 403 Forbidden: You are not authorized to complete get_image action.	19:15
dansmith	that image-id should be not found	19:15
jokke	yup	19:15
*** k_mouza has quit IRC		19:17
openstackgerrit	Dan Smith proposed openstack/glance master: Stop raising 403 when image is not found https://review.opendev.org/c/openstack/glance/+/775435	19:27
dansmith	added back the test, but changed and commented to validate the desired behavior	19:27
* lbragstad reads up		19:36
lbragstad	about the lower layer thing...	19:36
lbragstad	glance's db layer definitely has some code that tacks SQL queries together depending on the project in the request - which results in a 404 when you're looking for an image outside your project	19:37
lbragstad	and that behavior is a little different for people with the admin role	19:38
lbragstad	because of the _is_visible logic - which special cases the admin role in the database layer before returning the image	19:38
lbragstad	https://github.com/openstack/glance/blob/2c893fbd80d0241fad2515221b61266ced12f92d/glance/db/sqlalchemy/api.py#L286	19:41
lbragstad	https://github.com/openstack/glance/blob/2c893fbd80d0241fad2515221b61266ced12f92d/glance/db/utils.py#L44	19:41
jokke	yeah, the voodoo going on around the db is bit out of my comfort zone	19:41
lbragstad	you and me both :)	19:42
lbragstad	ideally - it would be nice to write a check string that makes these obsolete https://github.com/openstack/glance/blob/2c893fbd80d0241fad2515221b61266ced12f92d/glance/db/utils.py#L45-L74	19:50
lbragstad	and then just rely on https://github.com/openstack/glance/blob/2c893fbd80d0241fad2515221b61266ced12f92d/glance/api/policy.py#L123-L124 after removing https://github.com/openstack/glance/blob/2c893fbd80d0241fad2515221b61266ced12f92d/glance/api/policy.py#L120 (hypothetically)	19:51
lbragstad	and i think there is a discrepancy with existing images	19:55
lbragstad	https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/15/glance_tempest_plugin/tests/rbac/v2/test_images.py#562 (project-member case)	19:55
lbragstad	https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/15/glance_tempest_plugin/tests/rbac/v2/test_images.py#993 (project-admin case)	19:56
lbragstad	in both of those cases - we should be returning a 404, right?	20:08
*** rcernin has joined #openstack-glance		20:35
*** ralonsoh has quit IRC		20:37
*** k_mouza has joined #openstack-glance		20:40
*** k_mouza has quit IRC		20:41
*** k_mouza has joined #openstack-glance		20:43
sangeet	I have glance (Train) deployed as wsgi with Nginx. I am not able to upload images bigger than 5GB via cli (--file option). I get "Command error: HTTP 504 Gateway Time-out: nginx". But in glance log I see traceback with error " ERROR glance.common.wsgi Got error from Swift: put_object('glance', 'e7b58c3e-3894-46bb-b8a8-a3798ca6446c-00023', ...) failure and no ability to reset contents for reupload." Please help	20:45
*** k_mouza has quit IRC		20:48
*** rcernin has quit IRC		21:22
lbragstad	dansmith jokke ok - i'm working on converting this conversation into glance_tempest_plugin tests - to be clear, regardless if an image exists in a project, a user from another project should always see a 404 when they attempt to fetch that image, right?	21:28
dansmith	lbragstad: I would think so yeah.. only hedging because I'm not super familiar with the sharing model in glance	21:29
dansmith	meaning, if you're not granted permission to see an image, you should get 404, yes	21:29
dansmith	however in some permission models, you can deny someone access they would have otherwise inherited from group membership	21:30
dansmith	in which case you might want them to see a 403 in that case since you're explicitly denying them	21:30
dansmith	I doubt there's anything like that in glance, but I'm hedging because I don't know	21:30
lbragstad	yeah - that makes sense	21:30
lbragstad	so - anything raising a Forbidden from glance's database layer is going to result in a 404 ultimately from the API	21:31
lbragstad	(assuming we fix the bug you opened)	21:31
dansmith	well, the bug was actually the opposite, that anything resulting in a NotFound could result in a 403	21:32
dansmith	anything that is Forbidden from the lower layers would be a different path	21:32
lbragstad	yeah - different path, same outcome	21:33
lbragstad	if a project-admin tries to get an image in a project that isn't their own, they get a 403	21:33
dansmith	they do? or you're asking if they should?	21:34
lbragstad	they do	21:34
lbragstad	project members get a 404 in the same situation	21:34
dansmith	okay that seems wrong too, because that's like exposing pepsi secrets to the sysadmin for coke right?	21:34
lbragstad	yes	21:34
lbragstad	https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/15/glance_tempest_plugin/tests/rbac/v2/test_images.py#993	21:35
dansmith	just because they are a coke sysadmin doesn't mean they should know any more about pepsi than coke regulars	21:35
lbragstad	right - i agree	21:35
dansmith	yeah, seems broken	21:35
lbragstad	but i think it's because of a mismatch in the assumptions of what an admin is between the database and new policy defaults we're working on	21:36
dansmith	well, this is why I was saying earlier that it's easier if you don't try to expose a little more rich information to admins just because they're admins, because you can get unintentional leaks like this	21:36
dansmith	easier to just say "either 200 or 404"	21:36
lbragstad	yeah - that makes sense, but i'm struggling to find a case where we would use a 403 now with image_get	21:37
dansmith	can't really think of one	21:38
lbragstad	ok - so... good	21:38
dansmith	if glance has a "transfer ownership" option, then maybe after you've given the image away, 403 for you until they accept or something	21:38
dansmith	but yeah, otherwise I think not	21:38
lbragstad	ok - and that might just be a side-effect of get_image, too?	21:38
lbragstad	because that might be different is someone is a project-reader and they're trying to create private images	21:39
lbragstad	in that case, 403 makes sense i think	21:39
dansmith	yeah, I dunno, and like I say I don't know if glance has that	21:39
dansmith	so I'm really speaking from my posterior	21:39
dansmith	probably best to get an answer from the elders	21:39
lbragstad	agreed - i'll go with that for now, translate it to tests, and then post a patch	21:40
dansmith	yeah, asking for reviews on tests is very concrete, so a good plan :)	21:41

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!