Glance requires read permissions on RBD volumes pool to check for children
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned |
Bug Description
When Glance tries to delete an image from the RBD/Ceph backend, it checks if any children exist for that image (see https:/
However, if we create a volume from an image, the children are part of the 'volumes' pool.
If we follow the Glance setup guide, we only grant permissions for the 'images' pool, but not for the 'volumes' pool (see https:/
This causes image deletion to fail with an internal server error due to missing permissions:
rbd.PermissionE
To circumvent this issue, the glance client requires read access on the 'volumes' pool. There may also be more finely tuned permissions, that allow glance to check for existing children, that I am not aware of.
Either way, the documentation should reflect this.
There also is documentation at Ceph on how to configure the required users and their permissions for OpenStack Glance and Cinder - /docs.ceph. com/en/ latest/ rbd/rbd- openstack/ #setup- ceph-client- authentication
https:/
They also promote to use their managed capabilities called "profiles" such as "rbd" or "rbd-readonly" instead of raw ACLs such das "rwx". See https:/ /docs.ceph. com/en/ latest/ rados/operation s/user- management/ #authorization- capabilities. This also differs in the Cinder / Glance documentation.
This makes are great difference as "such privileges include the ability to blocklist other client users." required for lock of stale RBD clients to be removed from images, see https:/ /docs.ceph. com/en/ latest/ rbd/rbd- exclusive- locks/# rbd-exclusive- locks.
It would be awesome if the documentation could be aligned and have the most sensible defaults.