the owner field in glance is tenant_name

Bug #950364 reported by Vish Ishaya on 2012-03-08
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
Critical
Brian Waldon
OpenStack Dashboard (Horizon)
Critical
Gabriel Hurley

Bug Description

Glance is reporting the owner of the image as tenant_name instead of tenant_id. I checked the mysql table and it is storing the name as well. I think this is incorrect, because the name of a tenant could be changed which would cause them to lose all of their images in glance.

Jay Pipes (jaypipes) wrote :

On it.

Changed in glance:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Jay Pipes (jaypipes)
milestone: none → essex-rc1
Thierry Carrez (ttx) wrote :

From Jay on the ML:

OK, so the source of this issue is actually in Keystone. The glance_auth_token middleware is creating the RequestContext that Glance uses when querying for the caller's tenant. The code uses the value of the X_TENANT header to populate the tenant supplied to the RequestContext's constructor, which is what Glance ends up storing in the registry as the image owner_id.

So... the solution, I think, is to patch the glance_auth_token middleware in Keystone to use the value of the X_TENANT_ID header, not X_TENANT, and write some sort of data migration script to address the problem of stored owner_id values being name and not ID of tenant.

Thierry Carrez (ttx) wrote :

Added keystone to scope to match jay's findings

Changed in keystone:
milestone: none → essex-rc1
Jay Pipes (jaypipes) on 2012-03-09
Changed in keystone:
status: New → In Progress
assignee: nobody → Jay Pipes (jaypipes)
Jay Pipes (jaypipes) on 2012-03-09
Changed in keystone:
importance: Undecided → Critical
Gabriel Hurley (gabriel-hurley) wrote :

Horizon will need to update as soon as this is fixed by the other projects. Related to: https://bugs.launchpad.net/horizon/+bug/955744

Changed in horizon:
assignee: nobody → Gabriel Hurley (gabriel-hurley)
importance: Undecided → Critical
milestone: none → essex-rc1
status: New → In Progress
Brian Waldon (bcwaldon) wrote :

Middleware lives in glance now, so untargeting Keystone.

Changed in glance:
assignee: Jay Pipes (jaypipes) → Brian Waldon (bcwaldon)
no longer affects: keystone
Changed in glance:
status: Triaged → In Progress
Brian Waldon (bcwaldon) wrote :

Just wanted to note that we need to migrate user names to ids in the case that 'owner_is_tenant' is set to false in a glance deployment.

Reviewed: https://review.openstack.org/5533
Committed: http://github.com/openstack/glance/commit/f5603c87282c2b25be9ba5af304be777e0f53766
Submitter: Jenkins
Branch: master

commit f5603c87282c2b25be9ba5af304be777e0f53766
Author: Brian Waldon <email address hidden>
Date: Mon Mar 19 10:41:53 2012 -0700

    Use tenant/user ids rather than names

    * Add script that migrates image owners from user/tenant names to ids
    * Fixes bug 950364

    Change-Id: I157cb010ed0f8997bd2e1794e9c3b66eba75e36b

Changed in glance:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/5549
Committed: http://github.com/openstack/horizon/commit/2a51171517de2890d26130225a60901827fdfd51
Submitter: Jenkins
Branch: master

commit 2a51171517de2890d26130225a60901827fdfd51
Author: Gabriel Hurley <email address hidden>
Date: Mon Mar 19 18:49:01 2012 -0700

    Corrects glance image action permissions.

      * Admins have full permissions to edit and delete images
        from syspanel, plus Glance's client returns a proper
        403 error instead of 401, so inappropriate access no longer
        logs the user out inappropriately. Fixes bug 955744.
      * Regular users can edit and delete if their tenant owns the
        image. Fixes bug 950364 and fixes bug 737360.

    Note, this requires the latest version of Glance.

    Change-Id: Ib816d7e6e1320a9024c5dbe95b04249291ec0463

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-03-20
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-03-21
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in glance:
milestone: essex-rc1 → 2012.1
Thierry Carrez (ttx) on 2012-04-05
Changed in horizon:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers