Comment 5 for bug 955744

It turns out:

  1. glance scopes image ownership to the tenant name, not the tenant id, or user id, nor even the user name which is what horizon is checking. Bug here: https://bugs.launchpad.net/glance/+bug/950364

  2. glance fails to respect the admin context and thus tries to use the scoped tenant to authorize the request, even if the user is an admin. (bug forthcoming from bcwaldon)

  3. the glance client fails to differentiate between 401 and 403 status codes (bug here: https://bugs.launchpad.net/glance/+bug/956513) so while logging the user out is appropriate behavior for a 401 and *not* for a 403, horizon isn't given the proper data to take the correct action.