the owner field in glance is tenant_name

Bug #950364 reported by Vish Ishaya
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Critical
Brian Waldon
OpenStack Dashboard (Horizon)
Fix Released
Critical
Gabriel Hurley

Bug Description

Glance is reporting the owner of the image as tenant_name instead of tenant_id. I checked the mysql table and it is storing the name as well. I think this is incorrect, because the name of a tenant could be changed which would cause them to lose all of their images in glance.

Revision history for this message
Jay Pipes (jaypipes) wrote :

On it.

Changed in glance:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Jay Pipes (jaypipes)
milestone: none → essex-rc1
Revision history for this message
Thierry Carrez (ttx) wrote :

From Jay on the ML:

OK, so the source of this issue is actually in Keystone. The glance_auth_token middleware is creating the RequestContext that Glance uses when querying for the caller's tenant. The code uses the value of the X_TENANT header to populate the tenant supplied to the RequestContext's constructor, which is what Glance ends up storing in the registry as the image owner_id.

So... the solution, I think, is to patch the glance_auth_token middleware in Keystone to use the value of the X_TENANT_ID header, not X_TENANT, and write some sort of data migration script to address the problem of stored owner_id values being name and not ID of tenant.

Revision history for this message
Thierry Carrez (ttx) wrote :

Added keystone to scope to match jay's findings

Changed in keystone:
milestone: none → essex-rc1
Jay Pipes (jaypipes)
Changed in keystone:
status: New → In Progress
assignee: nobody → Jay Pipes (jaypipes)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5161

Jay Pipes (jaypipes)
Changed in keystone:
importance: Undecided → Critical
Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

Horizon will need to update as soon as this is fixed by the other projects. Related to: https://bugs.launchpad.net/horizon/+bug/955744

Changed in horizon:
assignee: nobody → Gabriel Hurley (gabriel-hurley)
importance: Undecided → Critical
milestone: none → essex-rc1
status: New → In Progress
Revision history for this message
Brian Waldon (bcwaldon) wrote :

Middleware lives in glance now, so untargeting Keystone.

Changed in glance:
assignee: Jay Pipes (jaypipes) → Brian Waldon (bcwaldon)
no longer affects: keystone
Changed in glance:
status: Triaged → In Progress
Revision history for this message
Brian Waldon (bcwaldon) wrote :

Just wanted to note that we need to migrate user names to ids in the case that 'owner_is_tenant' is set to false in a glance deployment.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5533

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/5533
Committed: http://github.com/openstack/glance/commit/f5603c87282c2b25be9ba5af304be777e0f53766
Submitter: Jenkins
Branch: master

commit f5603c87282c2b25be9ba5af304be777e0f53766
Author: Brian Waldon <email address hidden>
Date: Mon Mar 19 10:41:53 2012 -0700

    Use tenant/user ids rather than names

    * Add script that migrates image owners from user/tenant names to ids
    * Fixes bug 950364

    Change-Id: I157cb010ed0f8997bd2e1794e9c3b66eba75e36b

Changed in glance:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5549

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/5549
Committed: http://github.com/openstack/horizon/commit/2a51171517de2890d26130225a60901827fdfd51
Submitter: Jenkins
Branch: master

commit 2a51171517de2890d26130225a60901827fdfd51
Author: Gabriel Hurley <email address hidden>
Date: Mon Mar 19 18:49:01 2012 -0700

    Corrects glance image action permissions.

      * Admins have full permissions to edit and delete images
        from syspanel, plus Glance's client returns a proper
        403 error instead of 401, so inappropriate access no longer
        logs the user out inappropriately. Fixes bug 955744.
      * Regular users can edit and delete if their tenant owns the
        image. Fixes bug 950364 and fixes bug 737360.

    Note, this requires the latest version of Glance.

    Change-Id: Ib816d7e6e1320a9024c5dbe95b04249291ec0463

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: essex-rc1 → 2012.1
Thierry Carrez (ttx)
Changed in horizon:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers