Shared image shows as private

Hi Stuart,

I think it would be less confusing if the visibility had more values than private and public although it seems to be as designed and in align with v1 (public or not; public or private). http://docs.openstack.org/developer/glance/glanceapi.html#image-membership-changes-in-version-2-0 does not specify any visibilities but what it states is that the status should be accepted (in your example that is active which is IMO wrong).

> the status should be accepted (in your example that is active which is IMO wrong).

The image status (active, queued, killed...) is not the same as member status (accepted, pending ...).
'accepted' is not a valid image status.

Is that design decision, bug on client or bug on glance that it's not shown?

I debugged the glanceclient code and found that response from glance sends image list based on its status whether private or public. It doesnot have shared status. Now when we try: 'glance --os-image-api-version 2 image-list --visibility private', it checks for all images that are private and displays them.

Like,
I have two tenants:

admin and test

admin have one private image i.e. admin_private

test have one private image i.e. test_private

>>source openrc admin admin
>>glance member-create <admin_private_id> <test_id>

Now, 'glance --os-image-api-version 2 image-list --visibility private' will show all the private images that admin tenant can access, as the image that is shared is also a private image so it is listed under the private category.

Seem like this is fixed in recent version

Until Ocata, there were only two image visibility values: 'private' and 'public'. Thus a shared image had visibility 'private' because it was not a public image.

The confusing aspect is that the image-list filter in the Image API v2 that's used to list shared images is: GET v2/images?visibility=shared ... but none of the images in that list actually had 'visibility' == 'shared'.

This is being changed in Ocata. As part of the community images implementation, the values for 'visibility' are being expanded to {'public', 'private', 'shared', 'community'}. So with the Ocata release, the visibility of a shared image will be 'shared'.

This is being fixed as part of the Community Images implementation. In order to introduce 'community' visibility, we finally had to tackle making image visibility semantics coherent.

This is documented in the spec [0] (see, in particular, 'other end user impact'). It is also discussed at great length in the patch that updated the spec [1] (the update concerned what the default value for visibility should be).

There has also been extensive discussion on the openstack-dev ML about the propriety of the change necessary to address this bug. It's been discussed with the API-WG (3 times [2,3,4], plus appearances in the API-WG newsletter), and with operators (we took a survey [5]), and the general community (see, e.g., [6]).

[0] http://specs.openstack.org/openstack/glance-specs/specs/newton/approved/glance/community_visibility.html
[1] https://review.openstack.org/#/c/396919/
[2] http://eavesdrop.openstack.org/meetings/api_wg/2016/api_wg.2016-06-09-15.59.log.html#l-84
[3] http://eavesdrop.openstack.org/meetings/api_wg/2017/api_wg.2017-01-05-16.00.log.html#l-19
[4] http://eavesdrop.openstack.org/meetings/api_wg/2017/api_wg.2017-01-12-16.00.log.html#l-103
[5] http://lists.openstack.org/pipermail/openstack-operators/2016-November/012107.html
[6] http://lists.openstack.org/pipermail/openstack-dev/2016-November/107349.html

Reviewed: https://review.openstack.org/369110
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=265659e8c34865331568b069fdb27ea272df4eaa
Submitter: Jenkins
Branch: master

commit 265659e8c34865331568b069fdb27ea272df4eaa
Author: Timothy Symanczyk <email address hidden>
Date: Sat Sep 3 07:57:50 2016 -0700

    Implement and Enable Community Images

    This change replaces the existing boolean 'is_public' column for
    the 'images' table with enum 'visibility' column featuring the
    four explicit visibility values - public, private, shared,
    and community.

    This change also implements and enables all backend code to
    utilize the new values.

    Co-Authored-By: Timothy Symanczyk <email address hidden>
    Co-Authored-By: Dharini Chandrasekar <email address hidden>

    Implements: blueprint community-level-v2-image-sharing
    Closes-Bug: #1394299
    Closes-Bug: #1452443
    Depends-On: I6e3268f3712cbc0aadb51d204c694023b92d55a5
    Change-Id: I94bc7708b291ce37319539e27b3e88c9a17e1a9f

This issue was fixed in the openstack/glance 14.0.0.0b3 development milestone.