OpenStack + Chef

[image] upload_images recipe fails with 403 forbidden

Bug #1441292 reported by Mark Vanderwiel on 2015-04-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack + Chef	Fix Released	Critical	Mark Vanderwiel	OpenStack + Chef kilo-rc1

Bug Description

This is a result of the role cleanup in https://bugs.launchpad.net/openstack-chef/+bug/1436050

There was a change in glance to only allow the "admin" role to create public images. See https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3

Therefore, we have a couple choices here for the upload_images recipe

- change the recipe to use admin to create these images
- add a new public flag to the image lwrp to make this more flexible

I think both of these are reasonable to do here.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-07: Fix proposed to cookbook-openstack-image (master)

Fix proposed to branch: master
Review: https://review.openstack.org/171330

Changed in openstack-chef:
status:	New → In Progress

Revision history for this message

Ma Wen Cheng (mars914) wrote on 2015-04-09:

The ability to upload a public image is now admin-only by default. To continue to use the previous behaviour, edit the publicize_image flag in policy.json to remove the role restriction.
In one deployed node, found that "publicize_image": [["rule:user"]] in policy.json file.
is it right config? no need to update policy?

Revision history for this message

Ma Wen Cheng (mars914) wrote on 2015-04-09:

http://docs.openstack.org/juno/config-reference/content/section_glance-policy.json.html
"publicize_image": "role:admin"
I think this is a right config.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-09: Fix merged to cookbook-openstack-image (master)

Reviewed: https://review.openstack.org/171330
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-image/commit/?id=1600d6a14d1b628d19e7494019d50e01488acd5d
Submitter: Jenkins
Branch: master

commit 1600d6a14d1b628d19e7494019d50e01488acd5d
Author: Mark Vanderwiel <email address hidden>
Date: Tue Apr 7 13:51:22 2015 -0500

Only admin can create public glance images

    With change to use the correct "service" role for service users,
    they can no longer create public images.
    For this recipe, need to use admin for public images.

    Added a public flag to the lwrp such that other non-admin
    accounts can create images. Made a note in the client cookbook
    patch that this support needs to be merged in there.

    Change-Id: I99e2febfdbf6f4bab260d897216f4ae768cf3315
    Related-Bug: #1436050
    Closes-Bug: #1441292

Changed in openstack-chef:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-25: Fix included in openstack/cookbook-openstack-image ocata-eol

This issue was fixed in the openstack/cookbook-openstack-image ocata-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.