Glance

Unable to specify the image owner when adding an image

Bug #962998 reported by Juerg Haefliger on 2012-03-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Low	Eoghan Glynn	Glance 2012.1 "essex"

Bug Description

The 'glance add' command doesn't support specifying the image owner on the commandline. See the below email trail for more details:

Hi Juerg,

That's because 'owner' is not supported as an explicit parameter to 'glance add'.

So as a result the CLI treats it a generic image property, and passes this to the API service via the header:

x-image-meta-property-owner: 2

The 'x-image-meta-property-' prefix is used to distinguish additional image properties, separate to the first class image attributes.

Please raise a bug against the glance CLI so that 'owner' is supported as an explicit field for the add command (as it currently is for the update command).

Cheers,
Eoghan

> Is there a particular reason why an owner can't be specified when
> adding an image? I.e., the following:
>
> $ glance add name=testing owner=99 < testing
>
> results in:
>
> URI: http://jabba:9292/v1/images/22
> Id: 22
> Public: No
> Name: testing
> Status: active
> Size: 36614
> Disk format: None
> Container format: None
> Minimum Ram Required (MB): 0
> Minimum Disk Required (GB): 0
> Owner: 2
> Property 'owner': 99
>
> whereas I expect it to be:
>
> URI: http://jabba:9292/v1/images/22
> Id: 22
> Public: No
> Name: testing
> Status: active
> Size: 36614
> Disk format: None
> Container format: None
> Minimum Ram Required (MB): 0
> Minimum Disk Required (GB): 0
> Owner: 99
>
>
> Regards
> ...Juerg

Juerg Haefliger (juergh) on 2012-03-23

Changed in glance:
assignee:	nobody → Juerg Haefliger (juergh)

Eoghan Glynn (eglynn) on 2012-03-23

Changed in glance:
status:	New → Confirmed
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-23: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5727

Changed in glance:
assignee:	Juerg Haefliger (juergh) → Eoghan Glynn (eglynn)
status:	Confirmed → In Progress

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-03-23:

Like I said in the review, this bug should be limited to allowing Admins to providing an owner on the command line.

Revision history for this message

Jay Pipes (jaypipes) wrote on 2012-03-23:

Agreed with Brian... the reason this is not allowed is for security reasons. In fact, I'm having trouble understanding why a regular user (i.e. not an admin doing mass changes) would need the ability to set the owner field to something other than their own user_id (which is automatically set if they add the image)

Revision history for this message

Eoghan Glynn (eglynn) wrote on 2012-03-23:

Well, we already allow the owner attribute to be settable when the image is created directly via:

  POST /v1/images
  x-image-meta-owner: fred
  ...

and also when the image is updated either via the glance CLI or PUT /v1/images.

So it sounds like what's needed instead is to disallow the above existing degrees of freedom on create and update.

Otherwise we'd have very inconsistent enforcement and a false sense of security by simply making the change to the image owner a little indirect but still very possible.

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-03-23:

It appears that we already restrict setting the 'owner' attribute to admins. I think we can move forward with the proposed fix for providing access to the owner attribute through glance client add/update.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-27: Fix merged to glance (master)

Reviewed: https://review.openstack.org/5727
Committed: http://github.com/openstack/glance/commit/6005cb7e41408912b5ae56d5f23859bcfb217969
Submitter: Jenkins
Branch: master

commit 6005cb7e41408912b5ae56d5f23859bcfb217969
Author: Eoghan Glynn <email address hidden>
Date: Fri Mar 23 11:32:10 2012 +0000

Support owner paramater to glance add

Fixes bug 962998

    Allow the owner to specified as a first class image attribute
    when creating a new image via the CLI, as it is currently for
    image update.

    Also added a simple fakeauth pipeline to allow the user, tenant
    and admin status of API requests to be easily controlled by
    functional tests.

Change-Id: I0f83d55d4a96ad3632fb238ad1758ec3f00ed3fd

Changed in glance:
status:	In Progress → Fix Committed

Brian Waldon (bcwaldon) on 2012-03-27

Changed in glance:
milestone:	none → essex-rc2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-27: Fix proposed to glance (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/5891

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-28: Fix merged to glance (milestone-proposed)

Reviewed: https://review.openstack.org/5891
Committed: http://github.com/openstack/glance/commit/bb7c3297f69ca7dd721985db1b8a5fcf1707ed85
Submitter: Jenkins
Branch: milestone-proposed

commit bb7c3297f69ca7dd721985db1b8a5fcf1707ed85
Author: Eoghan Glynn <email address hidden>
Date: Fri Mar 23 11:32:10 2012 +0000

Support owner paramater to glance add

Fixes bug 962998

    Allow the owner to specified as a first class image attribute
    when creating a new image via the CLI, as it is currently for
    image update.

    Also added a simple fakeauth pipeline to allow the user, tenant
    and admin status of API requests to be easily controlled by
    functional tests.

Change-Id: I0f83d55d4a96ad3632fb238ad1758ec3f00ed3fd

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in glance:
milestone:	essex-rc2 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.