yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #60777
[Bug 1596927] Re: Glance installation does not appear to detect admin role
Hi everyone,
Launchpad is for bug reports and fixes. I recommend you go to
ask.openstack.org or perhaps address your question in #openstack on
Freenode.
Once the issue "It seems that glance is not properly detecting the
admin-ness of the admin account, i.e. resolving that admin is in the
role admin. If I remove the "role:admin" from publicize_image in
/etc/glance/policy.json, the above command works." has been fixed in
Glance, we can reopen this and address this in the documentation.
Thanks,
Alex
** Changed in: openstack-manuals
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1596927
Title:
Glance installation does not appear to detect admin role
Status in Glance:
New
Status in openstack-manuals:
Invalid
Bug description:
Following the installation guide on Ubuntu 16.04 and using the provided Mitaka packages on new clean VM installation. Once I attempt to upload an image with the --public flag glance reports 403 Forbidden when using the admin account. (debug output at the end of the bug). Again this is using the ADMIN account who is in the ADMIN role of both the admin and service projects.
I'm guessing this is a documentation issue and somewhere along the
instructions something's not happenig in the right order.
It seems that glance is not properly detecting the admin-ness of the
admin account, i.e. resolving that admin is in the role admin. If I
remove the "role:admin" from publicize_image in
/etc/glance/policy.json, the above command works.
The username and password for the glance account in /etc/glance
/glance-api.conf and glance-registry.conf are correct. It seems that
only those operations that require the admin role are broken.
The admin user environment is set as:
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
The documented roles/projects/users are defined:
root@controller:~# openstack user list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 2c2f877dad19415aa2f3c410cc23f7f5 | glance |
| 4200ae4f41a24e1195f1fa1f2a6bc7c8 | admin |
| df223dbfc8534f089677da8002f084a2 | demo |
+----------------------------------+--------+
root@controller:~# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 5958a2db1dec48a3ae8e01a2b5704080 | admin |
| d75766b685a943cca51c7869fe39ee09 | user |
+----------------------------------+-------+
root@controller:~# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0e53ec33b2dd459999adcd0a4d432512 | admin |
| 24178e2444634949a96877a906ddc6f5 | demo |
| 62ce2aaa1a3b4c7c855d11af43eb26a9 | service |
+----------------------------------+---------+
root@controller:~# openstack role assignment list --names
+-------+----------------+-------+-----------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+-------+----------------+-------+-----------------+--------+-----------+
| admin | glance@default | | service@default | | False |
| admin | admin@default | | admin@default | | False |
| admin | admin@default | | service@default | | False |
| user | demo@default | | demo@default | | False |
+-------+----------------+-------+-----------------+--------+-----------+
Debug output:
root@controller:~# openstack --debug image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public
START with options: ['--debug', 'image', 'create', 'cirros', '--file', 'cirros-0.3.4-x86_64-disk.img', '--disk-format', 'qcow2', '--container-format', 'bare', '--public']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://controller:35357/v3', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='2', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='***', profile=None, project_domain_id='', project_domain_name='default', project_id='', project_name='admin', protocol='', region_name='', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='default', user_id='', username='admin', verbose_level=3, verify=None)
defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, u'network_api_version': u'2', u'image_format': u'qcow2', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'timing': False, u'network_api_version': u'2', u'image_format': u'qcow2', u'image_api_version': '2', 'verify': True, u'dns_api_version': u'2', u'object_store_api_version': u'1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {'username': 'admin', 'project_name': 'admin', 'user_domain_name': 'default', 'auth_url': 'http://controller:35357/v3', 'password': '***', 'project_domain_name': 'default'}, 'default_domain': 'default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, 'cacert': None, u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': '3', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 2, cmd group openstack.volume.v2
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
command: image create -> openstackclient.image.v2.image.CreateImage
Auth plugin password selected
auth_type: password
Using auth plugin: password
Using parameters {'username': 'admin', 'project_name': 'admin', 'auth_url': 'http://controller:35357/v3', 'user_domain_name': 'default', 'password': '***', 'project_domain_name': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://controller:35357/v3 -H "Accept: application/json" -H "User-Agent: python-openstackclient keystoneauth1/2.4.0 python-requests/2.9.1 CPython/2.7.11+"
Starting new HTTP connection (1): controller
"GET /v3 HTTP/1.1" 200 250
RESP: [200] Content-Length: 250 Vary: X-Auth-Token X-Distribution: Ubuntu Connection: keep-alive Date: Tue, 28 Jun 2016 12:34:03 GMT Content-Type: application/json X-Openstack-Request-Id: req-ebcf407b-925f-4faa-903d-9b7032b38402
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "http://controller:35357/v3/";, "rel": "self"}]}}
Making authentication request to http://controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1637
run(Namespace(checksum=None, columns=[], container_format='bare', copy_from=None, disk_format='qcow2', file='cirros-0.3.4-x86_64-disk.img', force=False, formatter='table', id=None, location=None, max_width=0, min_disk=None, min_ram=None, name='cirros', noindent=False, owner=None, prefix='', private=False, project=None, project_domain=None, properties=None, protected=False, public=True, size=None, store=None, tags=None, unprotected=False, variables=[], volume=None))
Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
Instantiating image client: <class 'glanceclient.v2.client.Client'>
Making authentication request to http://controller:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 1637
Instantiating image api: <class 'openstackclient.api.image_v2.APIv2'>
curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}92f6b2faf82c0d8b4e80f7bef1e6e06aaf708bc8' -H 'Content-Type: application/octet-stream' http://controller:9292/v2/schemas/image
Starting new HTTP connection (1): controller
"GET /v2/schemas/image HTTP/1.1" 200 4141
HTTP/1.1 200 OK
Date: Tue, 28 Jun 2016 12:34:03 GMT
Connection: keep-alive
Content-Type: application/json; charset=UTF-8
Content-Length: 4141
X-Openstack-Request-Id: req-9e77c530-08c6-4108-8082-90815d5c49cf
{"additionalProperties": {"type": "string"}, "name": "image", "links":
[{"href": "{self}", "rel": "self"}, {"href": "{file}", "rel":
"enclosure"}, {"href": "{schema}", "rel": "describedby"}],
"properties": {"status": {"readOnly": true, "enum": ["queued",
"saving", "active", "killed", "deleted", "pending_delete",
"deactivated"], "type": "string", "description": "Status of the
image"}, "tags": {"items": {"type": "string", "maxLength": 255},
"type": "array", "description": "List of strings related to the
image"}, "kernel_id": {"pattern": "^([0-9a-fA-F]){8}-([0-9a-
fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
"type": ["null", "string"], "description": "ID of image stored in
Glance that should be used as the kernel when booting an AMI-style
image.", "is_base": false}, "container_format": {"enum": [null, "ami",
"ari", "aki", "bare", "ovf", "ova", "docker"], "type": ["null",
"string"], "description": "Format of the container"}, "min_ram":
{"type": "integer", "description": "Amount of ram (in MB) required to
boot image."}, "ramdisk_id": {"pattern": "^([0-9a-fA-F]){8}-([0-9a-
fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
"type": ["null", "string"], "description": "ID of image stored in
Glance that should be used as the ramdisk when booting an AMI-style
image.", "is_base": false}, "locations": {"items": {"required":
["url", "metadata"], "type": "object", "properties": {"url": {"type":
"string", "maxLength": 255}, "metadata": {"type": "object"}}}, "type":
"array", "description": "A set of URLs to access the image file kept
in external store"}, "visibility": {"enum": ["public", "private"],
"type": "string", "description": "Scope of image accessibility"},
"updated_at": {"readOnly": true, "type": "string", "description":
"Date and time of the last image modification"}, "owner": {"type":
["null", "string"], "description": "Owner of the image", "maxLength":
255}, "file": {"readOnly": true, "type": "string", "description": "An
image file url"}, "min_disk": {"type": "integer", "description":
"Amount of disk space (in GB) required to boot image."},
"virtual_size": {"readOnly": true, "type": ["null", "integer"],
"description": "Virtual size of image in bytes"}, "id": {"pattern":
"^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-
fA-F]){4}-([0-9a-fA-F]){12}$", "type": "string", "description": "An
identifier for the image"}, "size": {"readOnly": true, "type":
["null", "integer"], "description": "Size of image file in bytes"},
"instance_uuid": {"type": "string", "description": "Metadata which can
be used to record which instance this image is associated with.
(Informational only, does not create an instance snapshot.)",
"is_base": false}, "os_distro": {"type": "string", "description":
"Common name of operating system distribution as specified in
http://docs.openstack.org/trunk/openstack-compute/admin/content
/adding-images.html", "is_base": false}, "name": {"type": ["null",
"string"], "description": "Descriptive name for the image",
"maxLength": 255}, "checksum": {"readOnly": true, "type": ["null",
"string"], "description": "md5 hash of image contents.", "maxLength":
32}, "created_at": {"readOnly": true, "type": "string", "description":
"Date and time of image registration"}, "disk_format": {"enum": [null,
"ami", "ari", "aki", "vhd", "vmdk", "raw", "qcow2", "vdi", "iso",
"root-tar"], "type": ["null", "string"], "description": "Format of the
disk"}, "os_version": {"type": "string", "description": "Operating
system version as specified by the distributor", "is_base": false},
"protected": {"type": "boolean", "description": "If true, image will
not be deletable."}, "architecture": {"type": "string", "description":
"Operating system architecture as specified in
http://docs.openstack.org/trunk/openstack-compute/admin/content
/adding-images.html", "is_base": false}, "direct_url": {"readOnly":
true, "type": "string", "description": "URL to access the image file
kept in external store"}, "self": {"readOnly": true, "type": "string",
"description": "An image self url"}, "schema": {"readOnly": true,
"type": "string", "description": "An image schema url"}}}
curl -g -i -X POST -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' -H 'Connection: keep-alive' -H 'X-Auth-Token: {SHA1}92f6b2faf82c0d8b4e80f7bef1e6e06aaf708bc8' -H 'Content-Type: application/json' -d '{"container_format": "bare", "disk_format": "qcow2", "name": "cirros", "visibility": "public"}' http://controller:9292/v2/images
"POST /v2/images HTTP/1.1" 403 169
Request returned failure status 403.
403 Forbidden: You are not authorized to complete this action. (HTTP 403)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/common/command.py", line 38, in run
return super(Command, self).run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 330, in take_action
image = image_client.images.create(**kwargs)
File "/usr/lib/python2.7/dist-packages/glanceclient/v2/images.py", line 235, in create
resp, body = self.http_client.post(url, data=image)
File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 278, in post
return self._request('POST', url, **kwargs)
File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 267, in _request
resp, body_iter = self._handle_response(resp)
File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 83, in _handle_response
raise exc.from_response(resp, resp.content)
HTTPForbidden: 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
clean_up CreateImage: 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 118, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
result = self.run_subcommand(remainder)
File "/usr/lib/python2.7/dist-packages/openstackclient/shell.py", line 153, in run_subcommand
ret_value = super(OpenStackShell, self).run_subcommand(argv)
File "/usr/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/common/command.py", line 38, in run
return super(Command, self).run(parsed_args)
File "/usr/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/lib/python2.7/dist-packages/openstackclient/image/v2/image.py", line 330, in take_action
image = image_client.images.create(**kwargs)
File "/usr/lib/python2.7/dist-packages/glanceclient/v2/images.py", line 235, in create
resp, body = self.http_client.post(url, data=image)
File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 278, in post
return self._request('POST', url, **kwargs)
File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 267, in _request
resp, body_iter = self._handle_response(resp)
File "/usr/lib/python2.7/dist-packages/glanceclient/common/http.py", line 83, in _handle_response
raise exc.from_response(resp, resp.content)
HTTPForbidden: 403 Forbidden: You are not authorized to complete this action. (HTTP 403)
-----------------------------------
Release: 0.1 on 2016-06-03 17:52
SHA: e3ed7ad89c1d8b0551c95e607443218397fbfac7
Source: http://git.openstack.org/cgit/openstack/openstack-manuals/tree/doc/install-guide/source/glance.rst
URL: http://docs.openstack.org/liberty/install-guide-ubuntu/glance.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1596927/+subscriptions
