yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1827342] [NEW] Issue sharing an image with another project (something related to get_image_location)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "massimo.sgaravatto" <massimo.sgaravatto@xxxxxxxxx>
Date: Thu, 02 May 2019 08:24:27 -0000
Reply-to: Bug 1827342 <1827342@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

I have a small Rocky installation where Glance is configured with 2
backends (old images use the 'file' backend while new ones use the rbd
backend, which is the default)

show_multiple_locations  is true but I have modified the _image_location
policies. The used policy.json file is attached


If (as regular, non-admin user) I try to share a private image with another project I get an error message:


 [sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+----------+-----------+--------+
| Image ID | Member ID | Status |
+----------+-----------+--------+
+----------+-----------+--------+

[sgaravat@lxsgaravat ~]$ openstack image add project 3a4763d0-aa49-4389-9b8b-163206a8d671 e81df4c0b493439abb8b85bfd4cbe071
403 Forbidden: Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671. (HTTP 403)


But actually the operation succeeded:

[sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+--------------------------------------+----------------------------------+---------+
| Image ID                             | Member ID                        | Status  |
+--------------------------------------+----------------------------------+---------+
| 3a4763d0-aa49-4389-9b8b-163206a8d671 | e81df4c0b493439abb8b85bfd4cbe071 | pending |
+--------------------------------------+----------------------------------+---------+
[sgaravat@lxsgaravat ~]$


This is what I see in the log file:

/var/log/glance/api.log:2019-05-02 10:01:57.069 8236 INFO eventlet.wsgi.server [req-7c7caee4-06cc-43f8-9716-a5e1a4a34d77 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671 HTTP/1.1" 200 991 0.628997
/var/log/glance/api.log:2019-05-02 10:01:57.199 8223 WARNING glance.api.v2.image_members [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a \
- default default] Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671.: Forbidden: You are not authorized to complete get_image_location action.
/var/log/glance/api.log:2019-05-02 10:01:57.202 8223 INFO eventlet.wsgi.server [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "POST /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 403 408 0.084475
/var/log/glance/api.log:2019-05-02 10:02:03.599 8238 INFO eventlet.wsgi.server [req-c807bbd7-924c-4d75-aea2-12da525f50ff ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:02:03] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 200 472 0.487064


I also attached the output of "openstack image show 3a4763d0-aa49-4389
-9b8b-163206a8d671" issued by this non-admin user

** Affects: glance
     Importance: Undecided
         Status: New

** Attachment added: "image-show-regular.txt"
   https://bugs.launchpad.net/bugs/1827342/+attachment/5260796/+files/image-show-regular.txt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1827342

Title:
  Issue sharing an image with another project (something related to
  get_image_location)

Status in Glance:
  New

Bug description:
  I have a small Rocky installation where Glance is configured with 2
  backends (old images use the 'file' backend while new ones use the rbd
  backend, which is the default)

  show_multiple_locations  is true but I have modified the
  _image_location policies. The used policy.json file is attached

  
  If (as regular, non-admin user) I try to share a private image with another project I get an error message:

  
   [sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
  +----------+-----------+--------+
  | Image ID | Member ID | Status |
  +----------+-----------+--------+
  +----------+-----------+--------+

  [sgaravat@lxsgaravat ~]$ openstack image add project 3a4763d0-aa49-4389-9b8b-163206a8d671 e81df4c0b493439abb8b85bfd4cbe071
  403 Forbidden: Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671. (HTTP 403)

  
  But actually the operation succeeded:

  [sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
  +--------------------------------------+----------------------------------+---------+
  | Image ID                             | Member ID                        | Status  |
  +--------------------------------------+----------------------------------+---------+
  | 3a4763d0-aa49-4389-9b8b-163206a8d671 | e81df4c0b493439abb8b85bfd4cbe071 | pending |
  +--------------------------------------+----------------------------------+---------+
  [sgaravat@lxsgaravat ~]$

  
  This is what I see in the log file:

  /var/log/glance/api.log:2019-05-02 10:01:57.069 8236 INFO eventlet.wsgi.server [req-7c7caee4-06cc-43f8-9716-a5e1a4a34d77 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
  default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671 HTTP/1.1" 200 991 0.628997
  /var/log/glance/api.log:2019-05-02 10:01:57.199 8223 WARNING glance.api.v2.image_members [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a \
  - default default] Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671.: Forbidden: You are not authorized to complete get_image_location action.
  /var/log/glance/api.log:2019-05-02 10:01:57.202 8223 INFO eventlet.wsgi.server [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
  default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "POST /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 403 408 0.084475
  /var/log/glance/api.log:2019-05-02 10:02:03.599 8238 INFO eventlet.wsgi.server [req-c807bbd7-924c-4d75-aea2-12da525f50ff ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
  default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:02:03] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 200 472 0.487064


  I also attached the output of "openstack image show 3a4763d0-aa49-4389
  -9b8b-163206a8d671" issued by this non-admin user

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1827342/+subscriptions