Glance

Issue sharing an image with another project (something related to get_image_location)

Bug #1827342 reported by massimo.sgaravatto
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
New
Undecided
Unassigned

Bug Description

I have a small Rocky installation where Glance is configured with 2 backends (old images use the 'file' backend while new ones use the rbd backend, which is the default)

show_multiple_locations is true but I have modified the _image_location policies. The used policy.json file is attached

If (as regular, non-admin user) I try to share a private image with another project I get an error message:

 [sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+----------+-----------+--------+
| Image ID | Member ID | Status |
+----------+-----------+--------+
+----------+-----------+--------+

[sgaravat@lxsgaravat ~]$ openstack image add project 3a4763d0-aa49-4389-9b8b-163206a8d671 e81df4c0b493439abb8b85bfd4cbe071
403 Forbidden: Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671. (HTTP 403)

But actually the operation succeeded:

[sgaravat@lxsgaravat ~]$ glance member-list --image-id 3a4763d0-aa49-4389-9b8b-163206a8d671
+--------------------------------------+----------------------------------+---------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+---------+
| 3a4763d0-aa49-4389-9b8b-163206a8d671 | e81df4c0b493439abb8b85bfd4cbe071 | pending |
+--------------------------------------+----------------------------------+---------+
[sgaravat@lxsgaravat ~]$

This is what I see in the log file:

/var/log/glance/api.log:2019-05-02 10:01:57.069 8236 INFO eventlet.wsgi.server [req-7c7caee4-06cc-43f8-9716-a5e1a4a34d77 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671 HTTP/1.1" 200 991 0.628997
/var/log/glance/api.log:2019-05-02 10:01:57.199 8223 WARNING glance.api.v2.image_members [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a \
- default default] Not allowed to create members for image 3a4763d0-aa49-4389-9b8b-163206a8d671.: Forbidden: You are not authorized to complete get_image_location action.
/var/log/glance/api.log:2019-05-02 10:01:57.202 8223 INFO eventlet.wsgi.server [req-9aa61dda-012b-415c-b1c9-4ca2c90c8493 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:01:57] "POST /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 403 408 0.084475
/var/log/glance/api.log:2019-05-02 10:02:03.599 8238 INFO eventlet.wsgi.server [req-c807bbd7-924c-4d75-aea2-12da525f50ff ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default \
default] 193.205.157.174,192.168.60.229 - - [02/May/2019 10:02:03] "GET /v2/images/3a4763d0-aa49-4389-9b8b-163206a8d671/members HTTP/1.1" 200 472 0.487064

I also attached the output of "openstack image show 3a4763d0-aa49-4389-9b8b-163206a8d671" issued by this non-admin user

Revision history for this message
massimo.sgaravatto (massimo-sgaravatto) wrote :
Revision history for this message
massimo.sgaravatto (massimo-sgaravatto) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.