Glance

After sharing an image with consumer, owner id is assigned as consumer project id

Bug #1800689 reported by Chhavi Agarwal on 2018-10-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Invalid	Undecided	Unassigned

Bug Description

[root@ip9-114-192-143 ~]# openstack image show rhel-svc
---------------------------------------------------------------+
| checksum | d41d8cd98f00b204e9800998ecf8427e |
| container_format | bare |
| created_at | 2018-10-30T13:32:25Z |
| disk_format | raw |
| file | /v2/images/8fa5a8c6-150b-49c0-88f0-b6a6fa8849b0/file |
| id | 8fa5a8c6-150b-49c0-88f0-b6a6fa8849b0 |
| min_disk | 1 |
| min_ram | 0 |
| name | rhel-svc |
| owner | bf46fb095af344739bf78cdbba7df022 |
| properties | architecture='ppc64', bdm_v2='true', block_device_mapping='[{"guest_format":null,"boot_index":0,"no_device":null,"image_id":null,"volume_id":"5029cb07-3869-4bf5-8f05-5d4dda91bda1","disk_bus":null,"volume_size":null,"source_type":"volume","device_type":"disk","snapshot_id":null,"destination_type":"volume","delete_on_termination":true}]', endianness='big-endian', hypervisor_type='phyp', os_distro='rhel', root_device_name='/dev/sda' |
| protected | False |
| schema | /v2/schemas/image |
| size | 0 |
| status | active |
| tags | |
| updated_at | 2018-10-30T13:32:26Z |
| virtual_size | None |
| visibility | private |

[root@ip9-114-192-143 ~]# openstack image set rhel-svc --shared
[root@ip9-114-192-143 ~]#

On consumer accepting the project
[bob@ip9-114-192-143 ~]$ openstack image set --accept --project b90df91061e44d8ab7fbf3deb1ba2b3b rhel-svc
[bob@ip9-114-192-143 ~]$

Setting the owner_id for the consumer project id
[bob@ip9-114-192-143 ~]$ openstack image show rhel-svc | grep owner
| owner | b90df91061e44d8ab7fbf3deb1ba2b3b |
[bob@ip9-114-192-143 ~]$

Openstack stable/queens

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2018-10-30:

This is not a Glance bug. Possibly an openstackclient bug.

Changed in glance:
status:	New → Invalid

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2018-10-30:

Download full text (7.2 KiB)

I cannot reproduce this problem using normal user credentials. I can get something like this to happen using admin credentials, but it's possible that that is correct behavior.

Here's the setup to get in the situation Chhavi describes:

As the 'demo' user:

# Share image with alt_demo project
demo! glance member-create 87208f0f-e484-4872-8ad5-9c94ba307d5b 11a13bbd46e34419b07bc4e42929285c
+--------------------------------------+----------------------------------+---------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+---------+
| 87208f0f-e484-4872-8ad5-9c94ba307d5b | 11a13bbd46e34419b07bc4e42929285c | pending |
+--------------------------------------+----------------------------------+---------+

OK, now we go ahead and use openstackclient to change the status to 'accepted'.
This is done by the admin user. Call should fail otherwise (though I didn't check all permutations).

call being made: openstack image set --accept --project 11a13bbd46e34419b07bc4e42929285c ShareTest

When this call is made by an admin, should change the member-status to 'accepted' for the specified project
(Full output at http://paste.openstack.org/show/733660/ -- I removed auth and schema calls)

admin! openstack --debug image set --accept --project 11a13bbd46e34419b07bc4e42929285c ShareTest
START with options: [u'--debug', u'image', u'set', u'--accept', u'--project', u'11a13bbd46e34419b07bc4e42929285c', u'ShareTest']
options: Namespace(... project_domain_id='default', project_name='admin', user_domain_id='default', u...

I cannot reproduce this problem using normal user credentials.  I can get something like this to happen using admin credentials, but it's possible that that is correct behavior.

Here's the setup to get in the situation Chhavi describes:

As the 'demo' user:

# Share image with alt_demo project
demo! glance member-create 87208f0f-e484-4872-8ad5-9c94ba307d5b 11a13bbd46e34419b07bc4e42929285c
+--------------------------------------+----------------------------------+---------+
| Image ID                             | Member ID                        | Status  |
+--------------------------------------+----------------------------------+---------+
| 87208f0f-e484-4872-8ad5-9c94ba307d5b | 11a13bbd46e34419b07bc4e42929285c | pending |
+--------------------------------------+----------------------------------+---------+

OK, now we go ahead and use openstackclient to change the status to 'accepted'.
This is done by the admin user.  Call should fail otherwise (though I didn't check all permutations).

call being made: openstack image set --accept --project 11a13bbd46e34419b07bc4e42929285c ShareTest

When this call is made by an admin, should change the member-status to 'accepted' for the specified project
(Full output at http://paste.openstack.org/show/733660/ -- I removed auth and schema calls)

# Here the OSC gets the image list to find the one named 'ShareTest'.  Note the
# owner is 4d0255bb8ac04dcf9fc0f53126c88cde

https://192.168.122.14:9292 "GET /v2/images?limit=20 HTTP/1.1" 200 2441
GET call to image for https://192.168.122.14:9292/v2/images?limit=20 used request id req-db9e4d0a-798d-4ddb-bfc3-2616045f387d

HTTP/1.1 200 OK
{"images": [{
	    "container_format": "bare",
	    "min_ram": 0,
	    "updated_at": "2018-10-30T18:36:49Z",
	    "file": "/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b/file",
	    "owner": "4d0255bb8ac04dcf9fc0f53126c88cde",
	    "id": "87208f0f-e484-4872-8ad5-9c94ba307d5b",
	    "size": 13267968,
	    "self": "/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b",
	    "disk_format": "qcow2",
	    "os_hash_algo": "sha512",
	    "schema": "/v2/schemas/image",
	    "status": "active",
	    "tags": [],
	    "visibility": "shared",
	    "min_disk": 0,
	    "virtual_size": null,
	    "name": "ShareTest", }]}

# Now the OSC does the image member status change call

https://192.168.122.14:9292 "PUT /v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b/members/11a13bbd46e34419b07bc4e42929285c HTTP/1.1" 200 231
PUT call to image for https://192.168.122.14:9292/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b/members/11a13bbd46e34419b07bc4e42929285c used request id req-f890088a-39f8-4231-ad8e-d05bc3e4f89f

HTTP/1.1 200 OK
{"status": "accepted",
"created_at": "2018-10-30T18:37:23Z",
"updated_at": "2018-10-30T18:38:00Z",
"image_id": "87208f0f-e484-4872-8ad5-9c94ba307d5b",
"member_id": "11a13bbd46e34419b07bc4e42929285c",
"schema": "/v2/schemas/member"}

https://192.168.122.14:9292 "GET /v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b HTTP/1.1" 200 782
GET call to image for https://192.168.122.14:9292/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b used request id req-beb6e0a3-3b96-4dcb-b40e-3f496a83b858

# Here the OSC does a image-show request.  Not sure why, but note that the
# owner is still 4d0255bb8ac04dcf9fc0f53126c88cde

HTTP/1.1 200 OK
{"container_format": "bare",
"min_ram": 0,
"updated_at": "2018-10-30T18:36:49Z",
"file": "/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b/file",
"owner": "4d0255bb8ac04dcf9fc0f53126c88cde",
"id": "87208f0f-e484-4872-8ad5-9c94ba307d5b",
"size": 13267968,
"self": "/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b",
"disk_format": "qcow2",
"os_hash_algo": "sha512",
"schema": "/v2/schemas/image",
"status": "active",
"tags": [], "visibility": "shared",
"min_disk": 0,
"virtual_size": null,
"name": "ShareTest"}

# OK here is where the trouble starts.  An admin can use the image-set call with
# the --project option to change the owner of an image, and that's what it does
# now by making a PATCH call to replace the 'owner' property of the image
curl -g -i -X PATCH -H 'Content-Type: application/openstack-images-v2.1-json-patch'
  -d '[{"path": "/owner", "value": "11a13bbd46e34419b07bc4e42929285c", "op": "replace"}]'
  https://192.168.122.14:9292/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b
https://192.168.122.14:9292 "PATCH /v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b HTTP/1.1" 200 782
PATCH call to image for https://192.168.122.14:9292/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b used request id req-b1789f4e-29b1-4705-acc2-cef5f88b2ffa

# Note the new owner in the response to the PATCH call

HTTP/1.1 200 OK
{"container_format": "bare",
"min_ram": 0,
"updated_at": "2018-10-30T18:38:00Z",
"file": "/v2/images/87208f0f-e484-4872-8ad5-9c94ba307d5b/file",
"owner": "11a13bbd46e34419b07bc4e42929285c",
"id": "87208f0f-e484-4872-8ad5-9c94ba307d5b",
etc.

clean_up SetImage: 
END return value: 0

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2018-10-30:

This could be a openstackclient bug. The point of this call:

openstack image set --accept --project 11a13bbd46e34419b07bc4e42929285c ShareTest

seems to be to allow an admin to change the member status of an image member, which is a useful thing to do. But the current implementation has the side effect of also changing the image owner.

Info:
OSC version: openstack 3.16.1
I did all the above in an S-1 devstack.

Revision history for this message

Brian Rosmaita (brian-rosmaita) wrote on 2018-10-30:

python-openstackclient tracks bugs in Storyboard. I filed a story for this:
https://storyboard.openstack.org/#!/story/2004214

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.