Glance

the owner field in glance is tenant_name

Bug #950364 reported by Vish Ishaya on 2012-03-08

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Critical	Brian Waldon	Glance 2012.1 "essex"
	OpenStack Dashboard (Horizon)	Fix Released	Critical	Gabriel Hurley	OpenStack Dashboard (Horizon) 2012.1 "essex"

Bug Description

Glance is reporting the owner of the image as tenant_name instead of tenant_id. I checked the mysql table and it is storing the name as well. I think this is incorrect, because the name of a tenant could be changed which would cause them to lose all of their images in glance.

Revision history for this message

Jay Pipes (jaypipes) wrote on 2012-03-09:

On it.

Changed in glance:
status:	New → Triaged
importance:	Undecided → Critical
assignee:	nobody → Jay Pipes (jaypipes)
milestone:	none → essex-rc1

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-03-09:

From Jay on the ML:

OK, so the source of this issue is actually in Keystone. The glance_auth_token middleware is creating the RequestContext that Glance uses when querying for the caller's tenant. The code uses the value of the X_TENANT header to populate the tenant supplied to the RequestContext's constructor, which is what Glance ends up storing in the registry as the image owner_id.

So... the solution, I think, is to patch the glance_auth_token middleware in Keystone to use the value of the X_TENANT_ID header, not X_TENANT, and write some sort of data migration script to address the problem of stored owner_id values being name and not ID of tenant.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-03-09:

Added keystone to scope to match jay's findings

Changed in keystone:
milestone:	none → essex-rc1

Jay Pipes (jaypipes) on 2012-03-09

Changed in keystone:
status:	New → In Progress
assignee:	nobody → Jay Pipes (jaypipes)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-09: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5161

Jay Pipes (jaypipes) on 2012-03-09

Changed in keystone:
importance:	Undecided → Critical

Revision history for this message

Gabriel Hurley (gabriel-hurley) wrote on 2012-03-16:

Horizon will need to update as soon as this is fixed by the other projects. Related to: https://bugs.launchpad.net/horizon/+bug/955744

Changed in horizon:
assignee:	nobody → Gabriel Hurley (gabriel-hurley)
importance:	Undecided → Critical
milestone:	none → essex-rc1
status:	New → In Progress

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-03-19:

Middleware lives in glance now, so untargeting Keystone.

Changed in glance:
assignee:	Jay Pipes (jaypipes) → Brian Waldon (bcwaldon)
no longer affects:	keystone
Changed in glance:
status:	Triaged → In Progress

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-03-19:

Just wanted to note that we need to migrate user names to ids in the case that 'owner_is_tenant' is set to false in a glance deployment.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-19: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5533

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-20: Fix merged to glance (master)

Reviewed: https://review.openstack.org/5533
Committed: http://github.com/openstack/glance/commit/f5603c87282c2b25be9ba5af304be777e0f53766
Submitter: Jenkins
Branch: master

commit f5603c87282c2b25be9ba5af304be777e0f53766
Author: Brian Waldon <email address hidden>
Date: Mon Mar 19 10:41:53 2012 -0700

Use tenant/user ids rather than names

* Add script that migrates image owners from user/tenant names to ids
* Fixes bug 950364

Change-Id: I157cb010ed0f8997bd2e1794e9c3b66eba75e36b

Changed in glance:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-20: Fix proposed to horizon (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/5549

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-20: Fix merged to horizon (master)

#11

Reviewed: https://review.openstack.org/5549
Committed: http://github.com/openstack/horizon/commit/2a51171517de2890d26130225a60901827fdfd51
Submitter: Jenkins
Branch: master

commit 2a51171517de2890d26130225a60901827fdfd51
Author: Gabriel Hurley <email address hidden>
Date: Mon Mar 19 18:49:01 2012 -0700

Corrects glance image action permissions.

      * Admins have full permissions to edit and delete images
        from syspanel, plus Glance's client returns a proper
        403 error instead of 401, so inappropriate access no longer
        logs the user out inappropriately. Fixes bug 955744.
      * Regular users can edit and delete if their tenant owns the
        image. Fixes bug 950364 and fixes bug 737360.

Note, this requires the latest version of Glance.

Change-Id: Ib816d7e6e1320a9024c5dbe95b04249291ec0463

Changed in horizon:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-03-20

Changed in horizon:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-03-21

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in glance:
milestone:	essex-rc1 → 2012.1

Thierry Carrez (ttx) on 2012-04-05

Changed in horizon:
milestone:	essex-rc1 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers