← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1596927] Re: Glance installation does not appear to detect admin role

 

Hi everyone,

Launchpad is for bug reports and fixes. I recommend you go to
ask.openstack.org or perhaps address your question in #openstack on
Freenode.

Once the issue "It seems that glance is not properly detecting the
admin-ness of the admin account, i.e. resolving that admin is in the
role admin. If I remove the "role:admin" from publicize_image in
/etc/glance/policy.json, the above command works." has been fixed in
Glance, we can reopen this and address this in the documentation.

Thanks,

Alex



** Changed in: openstack-manuals
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1596927

Title:
  Glance installation does not appear to detect admin role

Status in Glance:
  New
Status in openstack-manuals:
  Invalid

Bug description:
  
  Following the installation guide on Ubuntu 16.04 and using the provided Mitaka packages on new clean VM installation. Once I attempt to upload an image with the --public flag glance reports 403 Forbidden when using the admin account. (debug output at the end of the bug). Again this is using the ADMIN account who is in the ADMIN role of both the admin and service projects. 

  I'm guessing this is a documentation issue and somewhere along the
  instructions something's not happenig in the right order.

  It seems that glance is not properly detecting the admin-ness of the
  admin account, i.e. resolving that admin is in the role admin. If I
  remove the "role:admin" from publicize_image in
  /etc/glance/policy.json, the above command works.

  The username and password for the glance account in /etc/glance
  /glance-api.conf and glance-registry.conf are correct. It seems that
  only those operations that require the admin role are broken.

  The admin user environment is set as:

  export OS_PROJECT_DOMAIN_NAME=default
  export OS_USER_DOMAIN_NAME=default
  export OS_PROJECT_NAME=admin
  export OS_USERNAME=admin
  export OS_PASSWORD=admin
  export OS_AUTH_URL=http://controller:35357/v3
  export OS_IDENTITY_API_VERSION=3
  export OS_IMAGE_API_VERSION=2

  The documented roles/projects/users are defined:

  root@controller:~# openstack user list
  +----------------------------------+--------+
  | ID                               | Name   |
  +----------------------------------+--------+
  | 2c2f877dad19415aa2f3c410cc23f7f5 | glance |
  | 4200ae4f41a24e1195f1fa1f2a6bc7c8 | admin  |
  | df223dbfc8534f089677da8002f084a2 | demo   |
  +----------------------------------+--------+
  root@controller:~# openstack role list
  +----------------------------------+-------+
  | ID                               | Name  |
  +----------------------------------+-------+
  | 5958a2db1dec48a3ae8e01a2b5704080 | admin |
  | d75766b685a943cca51c7869fe39ee09 | user  |
  +----------------------------------+-------+
  root@controller:~# openstack project list
  +----------------------------------+---------+
  | ID                               | Name    |
  +----------------------------------+---------+
  | 0e53ec33b2dd459999adcd0a4d432512 | admin   |
  | 24178e2444634949a96877a906ddc6f5 | demo    |
  | 62ce2aaa1a3b4c7c855d11af43eb26a9 | service |
  +----------------------------------+---------+
  root@controller:~# openstack  role assignment list --names
  +-------+----------------+-------+-----------------+--------+-----------+
  | Role  | User           | Group | Project         | Domain | Inherited |
  +-------+----------------+-------+-----------------+--------+-----------+
  | admin | glance@default |       | service@default |        | False     |
  | admin | admin@default  |       | admin@default   |        | False     |
  | admin | admin@default  |       | service@default |        | False     |
  | user  | demo@default   |       | demo@default    |        | False     |
  +-------+----------------+-------+-----------------+--------+-----------+

  Debug output:

  root@controller:~# openstack --debug  image create "cirros"   --file cirros-0.3.4-x86_64-disk.img   --disk-format qcow2 --container-format bare   --public
  START with options: ['--debug', 'image', 'create', 'cirros', '--file', 'cirros-0.3.4-x86_64-disk.img', '--disk-format', 'qcow2', '--container-format', 'bare', '--public']
  options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://controller:35357/v3', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='2', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='***', profile=None, project_domain_id='', project_domain_name='default', project_id='', project_name='admin', protocol='', region_name='', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='default', user_id='', username='admin', verbose_level=3, verify=None)
  defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, u'network_api_version': u'2', u'image_format': u'qcow2', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
  cloud cfg: {'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'timing': False, u'network_api_version': u'2', u'image_format': u'qcow2', u'image_api_version': '2', 'verify': True, u'dns_api_version': u'2', u'object_store_api_version': u'1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {'username': 'admin', 'project_name': 'admin', 'user_domain_name': 'default', 'auth_url': 'http://controller:35357/v3', 'password': '***', 'project_domain_name': 'default'}, 'default_domain': 'default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, 'cacert': None, u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': '3', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
  compute API version 2, cmd group openstack.compute.v2
  network API version 2, cmd group openstack.network.v2
  image API version 2, cmd group openstack.image.v2
  volume API version 2, cmd group openstack.volume.v2
  identity API version 3, cmd group openstack.identity.v3
  object_store API version 1, cmd group openstack.object_store.v1
  command: image create -> openstackclient.image.v2.image.CreateImage
  Auth plugin password selected
  auth_type: password
  Using auth plugin: password
  Using parameters {'username': 'admin', 'project_name': 'admin', 'auth_url': 'http://controller:35357/v3', 'user_domain_name': 'default', 'password': '***', 'project_domain_name': 'default'}
  Get auth_ref
  REQ: curl -g -i -X GET http://controller:35357/v3 -H "Accept: application/json" -H "User-Agent: python-openstackclient keystoneauth1/2.4.0 python-requests/2.9.1 CPython/2.7.11+"
  Starting new HTTP connection (1): controller
  "GET /v3 HTTP/1.1" 200 250
  RESP: [200] Content-Length: 250 Vary: X-Auth-Token X-Distribution: Ubuntu Connection: keep-alive Date: Tue, 28 Jun 2016 12:34:03 GMT Content-Type: application/json X-Openstack-Request-Id: req-ebcf407b-925f-4faa-903d-9b7032b38402
  RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "http://controller:35357/v3/";, "rel": "self"}]}}

  Making authentication request to http://controller:35357/v3/auth/tokens
  "POST /v3/auth/tokens HTTP/1.1" 201 1637
  run(Namespace(checksum=None, columns=[], container_format='bare', copy_from=None, disk_format='qcow2', file='cirros-0.3.4-x86_64-disk.img', force=False, formatter='table', id=None, location=None, max_width=0, min_disk=None, min_ram=None, name='cirros', noindent=False, owner=None, prefix='', private=False, project=None, project_domain=None, properties=None, protected=False, public=True, size=None, store=None, tags=None, unprotected=False, variables=[], volume=None))
  Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
  Instantiating image client: <class 'glanceclient.v2.client.Client'>
  Making authentication request to http://controller:35357/v3/auth/tokens
  "POST /v3/auth/tokens HTTP/1.1" 201 1637
  Instantiating image api: <class 'openstackclient.api.image_v2.APIv2'>
  curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}92f6b2faf82c0d8b4e80f7bef1e6e06aaf708bc8' -H 'Content-Type: application/octet-stream' http://controller:9292/v2/schemas/image
  Starting new HTTP connection (1): controller
  "GET /v2/schemas/image HTTP/1.1" 200 4141

  HTTP/1.1 200 OK
  Date: Tue, 28 Jun 2016 12:34:03 GMT
  Connection: keep-alive
  Content-Type: application/json; charset=UTF-8
  Content-Length: 4141
  X-Openstack-Request-Id: req-9e77c530-08c6-4108-8082-90815d5c49cf

  {"additionalProperties": {"type": "string"}, "name": "image", "links":
  [{"href": "{self}", "rel": "self"}, {"href": "{file}", "rel":
  "enclosure"}, {"href": "{schema}", "rel": "describedby"}],
  "properties": {"status": {"readOnly": true, "enum": ["queued",
  "saving", "active", "killed", "deleted", "pending_delete",
  "deactivated"], "type": "string", "description": "Status of the
  image"}, "tags": {"items": {"type": "string", "maxLength": 255},
  "type": "array", "description": "List of strings related to the
  image"}, "kernel_id": {"pattern": "^([0-9a-fA-F]){8}-([0-9a-
  fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
  "type": ["null", "string"], "description": "ID of image stored in
  Glance that should be used as the kernel when booting an AMI-style
  image.", "is_base": false}, "container_format": {"enum": [null, "ami",
  "ari", "aki", "bare", "ovf", "ova", "docker"], "type": ["null",
  "string"], "description": "Format of the container"}, "min_ram":
  {"type": "integer", "description": "Amount of ram (in MB) required to
  boot image."}, "ramdisk_id": {"pattern": "^([0-9a-fA-F]){8}-([0-9a-
  fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
  "type": ["null", "string"], "description": "ID of image stored in
  Glance that should be used as the ramdisk when booting an AMI-style
  image.", "is_base": false}, "locations": {"items": {"required":
  ["url", "metadata"], "type": "object", "properties": {"url": {"type":
  "string", "maxLength": 255}, "metadata": {"type": "object"}}}, "type":
  "array", "description": "A set of URLs to access the image file kept
  in external store"}, "visibility": {"enum": ["public", "private"],
  "type": "string", "description": "Scope of image accessibility"},
  "updated_at": {"readOnly": true, "type": "string", "description":
  "Date and time of the last image modification"}, "owner": {"type":
  ["null", "string"], "description": "Owner of the image", "maxLength":
  255}, "file": {"readOnly": true, "type": "string", "description": "An
  image file url"}, "min_disk": {"type": "integer", "description":
  "Amount of disk space (in GB) required to boot image."},
  "virtual_size": {"readOnly": true, "type": ["null", "integer"],
  "description": "Virtual size of image in bytes"}, "id": {"pattern":
  "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-
  fA-F]){4}-([0-9a-fA-F]){12}$", "type": "string", "description": "An
  identifier for the image"}, "size": {"readOnly": true, "type":
  ["null", "integer"], "description": "Size of image file in bytes"},
  "instance_uuid": {"type": "string", "description": "Metadata which can
  be used to record which instance this image is associated with.
  (Informational only, does not create an instance snapshot.)",
  "is_base": false}, "os_distro": {"type": "string", "description":
  "Common name of operating system distribution as specified in
  http://docs.openstack.org/trunk/openstack-compute/admin/content
  /adding-images.html", "is_base": false}, "name": {"type": ["null",
  "string"], "description": "Descriptive name for the image",
  "maxLength": 255}, "checksum": {"readOnly": true, "type": ["null",
  "string"], "description": "md5 hash of image contents.", "maxLength":
  32}, "created_at": {"readOnly": true, "type": "string", "description":
  "Date and time of image registration"}, "disk_format": {"enum": [null,
  "ami", "ari", "aki", "vhd", "vmdk", "raw", "qcow2", "vdi", "iso",
  "root-tar"], "type": ["null", "string"], "description": "Format of the
  disk"}, "os_version": {"type": "string", "description": "Operating
  system version as specified by the distributor", "is_base": false},
  "protected": {"type": "boolean", "description": "If true, image will
  not be deletable."}, "architecture": {"type": "string", "description":
  "Operating system architecture as specified in
  http://docs.openstack.org/trunk/openstack-compute/admin/content
  /adding-images.html", "is_base": false}, "direct_url": {"readOnly":
  true, "type": "string", "description": "URL to access the image file
  kept in external store"}, "self": {"readOnly": true, "type": "string",
  "description": "An image self url"}, "schema": {"readOnly": true,
  "type": "string", "description": "An image schema url"}}}

  curl -g -i -X POST -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}92f6b2faf82c0d8b4e80f7bef1e6e06aaf708bc8' -H 'Content-Type: application/json' -d '{"container_format": "bare", "disk_format": "qcow2", "name": "cirros", "visibility": "public"}' http://controller:9292/v2/images
  "POST /v2/images HTTP/1.1" 403 169
  Request returned failure status 403.
  403 Forbidden: You are not authorized to complete this action. (HTTP 403)
  Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
      result = cmd.run(parsed_args)
    File "/usr/lib/python2.7/dist-packages/openstackclient/common/command.py", line 38, in run
      return super(Command, self).run(parsed_args)
    File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
      column_names, data = self.take_action(parsed_args)
    File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 330, in take_action
      image = image_client.images.create(**kwargs)
    File "/usr/lib/python2.7/dist-packages/glanceclient/v2/images.py", line 235, in create
      resp, body = self.http_client.post(url, data=image)
    File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 278, in post
      return self._request('POST', url, **kwargs)
    File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 267, in _request
      resp, body_iter = self._handle_response(resp)
    File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 83, in _handle_response
      raise exc.from_response(resp, resp.content)
  HTTPForbidden: 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
  clean_up CreateImage: 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
  Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 118, in run
      ret_val = super(OpenStackShell, self).run(argv)
    File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
      result = self.run_subcommand(remainder)
    File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 153, in run_subcommand
      ret_value = super(OpenStackShell, self).run_subcommand(argv)
    File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
      result = cmd.run(parsed_args)
    File "/usr/lib/python2.7/dist-packages/openstackclient/common/command.py", line 38, in run
      return super(Command, self).run(parsed_args)
    File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
      column_names, data = self.take_action(parsed_args)
    File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 330, in take_action
      image = image_client.images.create(**kwargs)
    File "/usr/lib/python2.7/dist-packages/glanceclient/v2/images.py", line 235, in create
      resp, body = self.http_client.post(url, data=image)
    File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 278, in post
      return self._request('POST', url, **kwargs)
    File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 267, in _request
      resp, body_iter = self._handle_response(resp)
    File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 83, in _handle_response
      raise exc.from_response(resp, resp.content)
  HTTPForbidden: 403 Forbidden: You are not authorized to complete this action. (HTTP 403)

  -----------------------------------
  Release: 0.1 on 2016-06-03 17:52
  SHA: e3ed7ad89c1d8b0551c95e607443218397fbfac7
  Source: http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/install-guide/source/glance.rst
  URL: http://docs.openstack.org/liberty/install-guide-ubuntu/glance.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1596927/+subscriptions