Glance

  1. Bug #1799588
  2. Comment #3

Comment 3 for bug 1799588

Revision history for this message
Jonathan Mills (jonmills-t) wrote : Re: non-admin users can see all tenants' images even when image is private

Okay, we believe we understand the problem now.

According to the documentation (https://docs.openstack.org/glance/queens/configuration/glance_api.html), 'keystone' is the Default flavor of the [paste_deploy] section. In most other cases I've seen, when something is a default, it is safe to leave an INI section blank.

In our Queens (and Pike) configurations, we had a blank [paste_deploy] INI section. But we noticed that, in our older Mitaka rack, [paste_deploy] contained 'flavor = keystone'. After adding that value to [paste_deploy] in Queens, immediately image visibility works as expected.

Nevertheless, we still consider this a bug, either in the code or in the documentation. The docs must either insist that the use fill this in (or likely break the anticipated, normal behavior of Glance, and probably NOT say that Keystone is default); or the code needs to change to really use keystone as default in glance-api-paste.ini independent of any INI block or user intervention.

Thanks,

Jonathan