Project image table: admin user sees images which are not shared with me

Bug #1624743 reported by Akihiro Motoki on 2016-09-17
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
High
Beth Elwell

Bug Description

The image table of the *Project* image panel should lists public images, private images owned by the current project and private images shared with the current project.

However, when a user logs in as a user with admin role, private images which are owned by another project and NOT shared with the current project are listed in the image table of the project image panel.

This behavior is confusing and incompatible with the existing behavior.

Akihiro Motoki (amotoki) on 2016-09-17
Changed in horizon:
milestone: none → newton-rc2
Richard Jones (r1chardj0n3s) wrote :

Can't filter by project in that list either (or the Admin Images list). We should look into adding Owner (and possibly Project for the admin list) to the filter facets.

Brad Pokorny (bpokorny) wrote :

This is due to a difference in what's included in the list of images from the glance v1 API and the glance v2 API. With glance v2, there's not a way for an admin to tell a single API call "Give me the list of images that are public, owned by my project, or shared with me." When an admin calls the glance v2 API to get the list of images, they get all the images in the cloud.

With glance v1, an admin had to specify they wanted all the images in the cloud with the is_public=None option on the call. In Horizon, we used the the following API calls to get different results for the Project->Images page and Admin->Images page:

Project -> Images
http://host:9292/v1/images/detail?sort_key=created_at&sort_dir=desc&limit=1000

Admin -> Images
http://host:9292/v1/images/detail?sort_key=created_at&sort_dir=desc&limit=1000&is_public=None

With glance v2, there is no is_public flag to use, so we currently use the same API options for both:

Project -> Images and Admin -> Images
http://host/v2/images?limit=1000&sort_key=created_at&sort_dir=desc

I validated that with the current code, and configuring Horizon to use glance v1, we still show what's expected. I think we could replicate the same behavior on the Project->Images page when using glance v2, but we'd have to send multiple API calls for the different visibility values. For example:

http://host/v2/images?limit=1000&sort_key=created_at&sort_dir=desc&visibility=public
http://host/v2/images?limit=1000&sort_key=created_at&sort_dir=desc&visibility=shared
http://host/v2/images?limit=1000&sort_key=created_at&sort_dir=desc&owner=[the currently scoped project]

And then deduplicate the results from the API calls.

I'd be worried about the performance impact of making 2 extra list API calls to glance to render the single Project->Images page. Also, using 3 separate API calls will make pagination more complex.

So I'd suggest we document that the behavior has changed for admins. If we do that, we still need to make an update so that the Visibility no longer says "Shared with Project" when using glance v2. The angular images code assumes that if the image isn't Public and isn't owned by the current project, then it's a shared image, which isn't a good assumption when using the v2 API.

I'm open to other suggestions anyone has for dealing with this issue as well.

Changed in horizon:
status: New → Confirmed
Brad Pokorny (bpokorny) on 2016-09-22
Changed in horizon:
assignee: nobody → Brad Pokorny (bpokorny)

Fix proposed to branch: master
Review: https://review.openstack.org/375170

Changed in horizon:
status: Confirmed → In Progress
Brad Pokorny (bpokorny) wrote :

I haven't thought of a better way to fix this yet, so the 375170 patch implements my suggestion from comment #2 above (https://bugs.launchpad.net/horizon/+bug/1624743/comments/2). The code is ready for review.

Changed in horizon:
milestone: newton-rc2 → ocata-1
tags: added: newton-backport-potential
removed: newton-rc-potential
Brad Pokorny (bpokorny) on 2016-11-16
Changed in horizon:
assignee: Brad Pokorny (bpokorny) → nobody
Changed in horizon:
milestone: ocata-1 → ocata-2
Changed in horizon:
milestone: ocata-2 → ocata-rc1
Changed in horizon:
milestone: ocata-rc1 → next
tags: added: ocata-backport-potential
Changed in horizon:
assignee: nobody → Beth (bethelwell)
Changed in horizon:
milestone: next → pike-1

Reviewed: https://review.openstack.org/375170
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=b01bf0f9a16b6aa48f73bf046e9ef51287cb40cc
Submitter: Jenkins
Branch: master

commit b01bf0f9a16b6aa48f73bf046e9ef51287cb40cc
Author: Brad Pokorny <email address hidden>
Date: Thu Sep 22 14:27:35 2016 -0700

    Make shared image text less confusing for Glance v2

    When using Glance v2 and logged in as an admin, the images
    panel now shows all the images in the cloud. This is the
    way the Glance v2 list api works, but it changed the behavior
    from v1. In Horizon, we can't tell whether non-public images
    that aren't owned by current project are shared or just from
    some other project without making multiple api calls. This
    patch makes the text of the images less confusing when using
    Glance v2, so that it no longer claims the images are "Shared
    with Project".

    Change-Id: I2859e104de78a6a633b0e1a2ff30dde674b4bdee
    Closes-Bug: #1624743

Changed in horizon:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/440511
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=c952304babb2a589775b5209605b42ac8218ef2b
Submitter: Jenkins
Branch: stable/ocata

commit c952304babb2a589775b5209605b42ac8218ef2b
Author: Brad Pokorny <email address hidden>
Date: Thu Sep 22 14:27:35 2016 -0700

    Make shared image text less confusing for Glance v2

    When using Glance v2 and logged in as an admin, the images
    panel now shows all the images in the cloud. This is the
    way the Glance v2 list api works, but it changed the behavior
    from v1. In Horizon, we can't tell whether non-public images
    that aren't owned by current project are shared or just from
    some other project without making multiple api calls. This
    patch makes the text of the images less confusing when using
    Glance v2, so that it no longer claims the images are "Shared
    with Project".

    Change-Id: I2859e104de78a6a633b0e1a2ff30dde674b4bdee
    Closes-Bug: #1624743
    (cherry picked from commit b01bf0f9a16b6aa48f73bf046e9ef51287cb40cc)

tags: added: in-stable-ocata

This issue was fixed in the openstack/horizon 11.0.1 release.

This issue was fixed in the openstack/horizon 12.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers