Fix failed cinder store migration for non-owners
This fixes the bug related to cinder store migration being unable to complete if a non-owner, non-admin user GETs the image before one of the authorized users has triggered the lazy migration. Change-Id: I187f626816ef1bc7303251165d2282bf6985cfd1 Closes-Bug: #1932337
This commit is contained in:
Dan Smith
parent
b55dbb28c6
commit
ee1849714e
@ -86,8 +86,17 @@ class ImageRepoProxy(glance.domain.proxy.Repo):
|
|||||||
def get(self, image_id):
|
def get(self, image_id):
|
||||||
image = super(ImageRepoProxy, self).get(image_id)
|
image = super(ImageRepoProxy, self).get(image_id)
|
||||||
if CONF.enabled_backends:
|
if CONF.enabled_backends:
|
||||||
store_utils.update_store_in_locations(
|
try:
|
||||||
self.context, image, self.image_repo)
|
store_utils.update_store_in_locations(
|
||||||
|
self.context, image, self.image_repo)
|
||||||
|
except exception.Forbidden:
|
||||||
|
# NOTE(danms): We may not be able to complete a store
|
||||||
|
# update if we do not own the image. That should not
|
||||||
|
# break us, so avoid raising Forbidden in that
|
||||||
|
# case. Note that modifications to @image here will
|
||||||
|
# still be returned to the user, just not saved in the
|
||||||
|
# DB. That is probably what we want anyway.
|
||||||
|
pass
|
||||||
return image
|
return image
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -257,14 +257,6 @@ class TestLegacyUpdateCinderStore(functional.SynchronousAPIBase):
|
|||||||
resp = self.api_get('/v2/images/%s' % image_id,
|
resp = self.api_get('/v2/images/%s' % image_id,
|
||||||
headers={'X-Roles': 'reader'})
|
headers={'X-Roles': 'reader'})
|
||||||
|
|
||||||
# FIXME(danms): This is broken behavior: the first user to GET
|
|
||||||
# an image after upgrade may not be an admin or the owner. As
|
|
||||||
# such, we should not return an error to that user for a valid image.
|
|
||||||
self.assertEqual(500, resp.status_code)
|
|
||||||
self.skipTest('Bug 1932337 is not fixed')
|
|
||||||
|
|
||||||
# FIXME(danms): Continue the test below when bug 1932337 is
|
|
||||||
# fixed.
|
|
||||||
image = resp.json
|
image = resp.json
|
||||||
# verify the image is updated to new format
|
# verify the image is updated to new format
|
||||||
self.assertEqual('cinder://store1/%s' % self.vol_id,
|
self.assertEqual('cinder://store1/%s' % self.vol_id,
|
||||||
|
|||||||
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
The cinder store lazy migration code assumed that the user
|
||||||
|
performing the GET was authorized to modify the image in order to
|
||||||
|
perform the update. This will not be the case for shared or public
|
||||||
|
images where the user is not the owner or an admin, and would
|
||||||
|
result in a 404 to the user if a migration is needed but not
|
||||||
|
completed. Now, we delay the migration if we are not sufficiently
|
||||||
|
authorized, allowing the first GET by the owner (or an admin) to
|
||||||
|
perform it. See Bug 1932337_ for more information.
|
||||||
|
|
||||||
|
.. _1932337: https://bugs.launchpad.net/glance/+bug/1932337
|
||||||
Loading…
Reference in New Issue
Block a user