yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #78263
[Bug 1827342] [NEW] Issue sharing an image with another project (something related to get_image_location)
Public bug reported:
I have a small Rocky installation where Glance is configured with 2
backends (old images use the 'file' backend while new ones use the rbd
backend, which is the default)
show_multiple_locations is true but I have modified the _image_location
policies. The used policy.json file is attached
If (as regular, non-admin user) I try to share a private image with another project I get an error message:
[sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+----------+-----------+--------+
| Image ID | Member ID | Status |
+----------+-----------+--------+
+----------+-----------+--------+
[sgaravat@lxsgaravat ~]$ openstack image add project 3a4763d0-aa49-4389-9b8b-163206a8d671 e81df4c0b493439abb8b85bfd4cbe071
403 Forbidden: Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671. (HTTP 403)
But actually the operation succeeded:
[sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+--------------------------------------+----------------------------------+---------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+---------+
| 3a4763d0-aa49-4389-9b8b-163206a8d671 | e81df4c0b493439abb8b85bfd4cbe071 | pending |
+--------------------------------------+----------------------------------+---------+
[sgaravat@lxsgaravat ~]$
This is what I see in the log file:
/var/log/glance/api.log:2019-05-02 10:01:57.069 8236 INFO eventlet.wsgi.server [req-7c7caee4-06cc-43f8-9716-a5e1a4a34d77 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671 HTTP/1.1" 200 991 0.628997
/var/log/glance/api.log:2019-05-02 10:01:57.199 8223 WARNING glance.api.v2.image_members [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a \
- default default] Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671.: Forbidden: You are not authorized to complete get_image_location action.
/var/log/glance/api.log:2019-05-02 10:01:57.202 8223 INFO eventlet.wsgi.server [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "POST /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 403 408 0.084475
/var/log/glance/api.log:2019-05-02 10:02:03.599 8238 INFO eventlet.wsgi.server [req-c807bbd7-924c-4d75-aea2-12da525f50ff ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:02:03] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 200 472 0.487064
I also attached the output of "openstack image show 3a4763d0-aa49-4389
-9b8b-163206a8d671" issued by this non-admin user
** Affects: glance
Importance: Undecided
Status: New
** Attachment added: "image-show-regular.txt"
https://bugs.launchpad.net/bugs/1827342/+attachment/5260796/+files/image-show-regular.txt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1827342
Title:
Issue sharing an image with another project (something related to
get_image_location)
Status in Glance:
New
Bug description:
I have a small Rocky installation where Glance is configured with 2
backends (old images use the 'file' backend while new ones use the rbd
backend, which is the default)
show_multiple_locations is true but I have modified the
_image_location policies. The used policy.json file is attached
If (as regular, non-admin user) I try to share a private image with another project I get an error message:
[sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+----------+-----------+--------+
| Image ID | Member ID | Status |
+----------+-----------+--------+
+----------+-----------+--------+
[sgaravat@lxsgaravat ~]$ openstack image add project 3a4763d0-aa49-4389-9b8b-163206a8d671 e81df4c0b493439abb8b85bfd4cbe071
403 Forbidden: Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671. (HTTP 403)
But actually the operation succeeded:
[sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+--------------------------------------+----------------------------------+---------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+---------+
| 3a4763d0-aa49-4389-9b8b-163206a8d671 | e81df4c0b493439abb8b85bfd4cbe071 | pending |
+--------------------------------------+----------------------------------+---------+
[sgaravat@lxsgaravat ~]$
This is what I see in the log file:
/var/log/glance/api.log:2019-05-02 10:01:57.069 8236 INFO eventlet.wsgi.server [req-7c7caee4-06cc-43f8-9716-a5e1a4a34d77 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671 HTTP/1.1" 200 991 0.628997
/var/log/glance/api.log:2019-05-02 10:01:57.199 8223 WARNING glance.api.v2.image_members [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a \
- default default] Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671.: Forbidden: You are not authorized to complete get_image_location action.
/var/log/glance/api.log:2019-05-02 10:01:57.202 8223 INFO eventlet.wsgi.server [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "POST /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 403 408 0.084475
/var/log/glance/api.log:2019-05-02 10:02:03.599 8238 INFO eventlet.wsgi.server [req-c807bbd7-924c-4d75-aea2-12da525f50ff ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:02:03] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 200 472 0.487064
I also attached the output of "openstack image show 3a4763d0-aa49-4389
-9b8b-163206a8d671" issued by this non-admin user
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1827342/+subscriptions