Glance's client code treats status codes 401 (Not Authorized) and 403 (Forbidden) as the same error, and consequently raises the same exception for each: https://github.com/openstack/glance/blob/master/glance/common/client.py#L533
This is inappropriate, as the two are distinct errors with different meanings, and different actions need to be taken for each. The key distinction being that with a 401 you might be able to complete the request with proper authorization, whereas with 403 "Authorization will not help and the request SHOULD NOT be repeated." (from the W3C spec).
Without distinct exceptions in the client this can't be respected by any handler.