← Back to team overview

openstack team mailing list archive

Re: Listing non-public images in Glance


Hi Pete! Answers inline :)

On Thu, Jan 19, 2012 at 2:26 PM, Pete Zaitcev <zaitcev@xxxxxxxxxx> wrote:
> Hello:
> This clearly seems like I am missing something obvious, but is it
> possible to list non-public images in Glance?

No. But if you no the ID, you can issue a call to HEAD|GET
/images/<ID> and it will show you the image information. This was done
this way for legacy reasons IIRC. Nowadays, with authentication
enabled, you have much better, finer-grained, and logical access
permissions to images (see below)

> It came up because I have a Glance setup without Keystone or other
> authentication for now, like this:
>  [pipeline:glance-api]
>  pipeline = versionnegotiation context apiv1app
> Images that have "X-Image-Meta-Is_public: False" do not get listed
> with "glance index". I am not saying that it is wrong per se, all the
> documentation implies that a GET to /v1/images only produces a listing
> of public images, and it looks like all functional and unit tests
> in ./glance/tests set the public flag as necessary.


> But I'm wondering:
>  a) If authentication is in effect, can users list their own images?

Yes. If authentication is enabled and a user calls GET /images, they
see a list of non-deleted, non-killed-status *public* images
(is_public=True) AND any images where the owner_id is the user's
Tenant or User ID AND any images that have manually been shared with
the Tenant or User ID via the image-memberships functionality.

Note that I say "Tenant or User" above. There is a configuration value
(owner_is_tenant, default is True) that controls whether the
authentication layer considers the X-Auth-Tenant or the X-Auth-User
value as being the owner...

>    It is easy to forget what you have. The Image Warehouse service
>    in Aeolus permits to list images regardless, as long as bucket
>    is accessible.
>  b) If authentication is not in effect, should we chage to listing
>    everything, public and not? I can file a bug and see it implemented.

Interesting proposal, and one we debated over when Kevin Mitchell
originally added support for authentication (and thus image
ownership). We decided to keep it the way it is because we did not
want to change existing behaviour of servers that did not have
authentication enabled...


> -- Pete
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Follow ups