the owner field in glance is tenant_name
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Glance |
Critical
|
Brian Waldon | ||
| | OpenStack Dashboard (Horizon) |
Critical
|
Gabriel Hurley | ||
Bug Description
Glance is reporting the owner of the image as tenant_name instead of tenant_id. I checked the mysql table and it is storing the name as well. I think this is incorrect, because the name of a tenant could be changed which would cause them to lose all of their images in glance.
| Jay Pipes (jaypipes) wrote : | #1 |
| Changed in glance: | |
| status: | New → Triaged |
| importance: | Undecided → Critical |
| assignee: | nobody → Jay Pipes (jaypipes) |
| milestone: | none → essex-rc1 |
| Thierry Carrez (ttx) wrote : | #2 |
From Jay on the ML:
OK, so the source of this issue is actually in Keystone. The glance_auth_token middleware is creating the RequestContext that Glance uses when querying for the caller's tenant. The code uses the value of the X_TENANT header to populate the tenant supplied to the RequestContext's constructor, which is what Glance ends up storing in the registry as the image owner_id.
So... the solution, I think, is to patch the glance_auth_token middleware in Keystone to use the value of the X_TENANT_ID header, not X_TENANT, and write some sort of data migration script to address the problem of stored owner_id values being name and not ID of tenant.
| Thierry Carrez (ttx) wrote : | #3 |
Added keystone to scope to match jay's findings
| Changed in keystone: | |
| milestone: | none → essex-rc1 |
| Changed in keystone: | |
| status: | New → In Progress |
| assignee: | nobody → Jay Pipes (jaypipes) |
Fix proposed to branch: master
Review: https:/
| Changed in keystone: | |
| importance: | Undecided → Critical |
| Gabriel Hurley (gabriel-hurley) wrote : | #5 |
Horizon will need to update as soon as this is fixed by the other projects. Related to: https:/
| Changed in horizon: | |
| assignee: | nobody → Gabriel Hurley (gabriel-hurley) |
| importance: | Undecided → Critical |
| milestone: | none → essex-rc1 |
| status: | New → In Progress |
| Brian Waldon (bcwaldon) wrote : | #6 |
Middleware lives in glance now, so untargeting Keystone.
| Changed in glance: | |
| assignee: | Jay Pipes (jaypipes) → Brian Waldon (bcwaldon) |
| no longer affects: | keystone |
| Changed in glance: | |
| status: | Triaged → In Progress |
| Brian Waldon (bcwaldon) wrote : | #7 |
Just wanted to note that we need to migrate user names to ids in the case that 'owner_is_tenant' is set to false in a glance deployment.
Fix proposed to branch: master
Review: https:/
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: master
commit f5603c87282c2b2
Author: Brian Waldon <email address hidden>
Date: Mon Mar 19 10:41:53 2012 -0700
Use tenant/user ids rather than names
* Add script that migrates image owners from user/tenant names to ids
* Fixes bug 950364
Change-Id: I157cb010ed0f89
| Changed in glance: | |
| status: | In Progress → Fix Committed |
Fix proposed to branch: master
Review: https:/
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: master
commit 2a51171517de289
Author: Gabriel Hurley <email address hidden>
Date: Mon Mar 19 18:49:01 2012 -0700
Corrects glance image action permissions.
* Admins have full permissions to edit and delete images
from syspanel, plus Glance's client returns a proper
403 error instead of 401, so inappropriate access no longer
logs the user out inappropriately. Fixes bug 955744.
* Regular users can edit and delete if their tenant owns the
image. Fixes bug 950364 and fixes bug 737360.
Note, this requires the latest version of Glance.
Change-Id: Ib816d7e6e1320a
| Changed in horizon: | |
| status: | In Progress → Fix Committed |
| Changed in horizon: | |
| status: | Fix Committed → Fix Released |
| Changed in glance: | |
| status: | Fix Committed → Fix Released |
| Changed in glance: | |
| milestone: | essex-rc1 → 2012.1 |
| Changed in horizon: | |
| milestone: | essex-rc1 → 2012.1 |
On it.