Updating image owner to someone else generates a non-intuitive 404 instead of 403

Hi Luke,

 $ glance --version
 1.2.0

 $ glance image-update --owner e1d44906a6424485b8600f81af2c60c1 92774b17-2b8e-4058-b6b0-0a851fed35c7
 403 Forbidden: Access was denied to this resource.: Owner can't be updated by non admin. (HTTP 403)

Can you provide more info on reproducing? Thanks.

Hey Stuart,

Here are some steps to reproduce:

1) Create/Import an image that contains a a valid owner id (it should be the id of the user that created/imported the image)

2) Update the image via the add operation, passing in the owner image property and a different (even randomly generated) id:
curl -i <endpoint>/v2/images/<image_id> -X PATCH -H "Content-Type: application/openstack-images-v2.1-json-patch" -H "Accept: application/json" -H "X-Auth-Token: <token>" -d '[{"path": "/owner", "value": "<random_owner_id>", "op": "add"}]'

3) Notice that a 404 response is returned:
404 Not Found
No image found with ID <image_id>

Hopefully this info helps. Thank you!

I have kilo setup, in that glance version is 0.15.0.

Can you please confirm the release of openstack.

We tried to reproduce the issue using below sequence, however we were not able to reproduce the issue.

1. glance image-list
+--------------------------------------+---------------------+
| ID | Name |
+--------------------------------------+---------------------+
| 80662b56-b9b1-4ea6-917b-8b4b649658bb | cirros-0.3.4-x86_64 |
+--------------------------------------+---------------------+

2. glance image-show 80662b56-b9b1-4ea6-917b-8b4b649658bb

Property Value
checksum ee1eca47dc88f4879d8a229cc70a07c6
container_format bare
created_at 2016-03-08T13:35:01Z
disk_format qcow2
id 80662b56-b9b1-4ea6-917b-8b4b649658bb
min_disk 0
min_ram 0
name cirros-0.3.4-x86_64
owner e3b23ca7a1fb4981b80268c2f1c4e352
protected FALSE
size 13287936
status active
tags []
updated_at 2016-03-08T13:35:01Z
virtual_size None
visibility public

3. When I use glance endpoint:
curl -i http://hostname:9292/v2/images/80662b56-b9b1-4ea6-917b-8b4b649658bb -X PATCH -H "Content-Type: application/openstack-images-v2.1-json-patch" -H "Accept: application/json" -H "X-Auth-Token: 358af5f9d8c14637a5729443e1363220" -d '[{"path": "/owner", "value": "1234", "op": "add"}]'

HTTP/1.1 403 Forbidden
Content-Length: 50
Content-Type: text/plain; charset=UTF-8
X-Openstack-Request-Id: req-7b12bb24-2818-4cb6-baea-951ad7a6804a
Date: Wed, 09 Mar 2016 08:54:17 GMT

403 Forbidden

Attribute 'owner' is reserved.

4. When I use keystone endpoint:

curl -i http://bhagi:5000/v2/images/80662b56-b9b1-4ea6-917b-8b4b649658bb -X PATCH -H "Content-Type: application/openstack-images-v2.1-json-patch" -H "Accept: application/json" -H "X-Auth-Token: 358af5f9d8c14637a5729443e1363220" -d '[{"path": "/owner", "value": "1234", "op": "add"}]'
HTTP/1.1 404 Not Found
Date: Wed, 09 Mar 2016 08:53:26 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
X-Distribution: Ubuntu
Content-Length: 93
Content-Type: application/json

{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}

Can you please provide the dumps for above commands when you are seeing the issue

When i was updating image owner id am getting forbidden error(403) in kilo version (both admin and non-admin)

But updating image owner id working fine with liberty (admin) as similar bug was raised in liberty and it was fixed. So, image owner id is updating properly for admin

liberty bug : https://bugs.launchpad.net/glance/+bug/1420008

Can you say whether it should result in error (403) or update properly with random owner id ?