Ubuntu
python-openstackclient package

'image add project' fails to find project for non-admin user

Bug #1864203 reported by Yiorgos Stamoulis
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-openstackclient (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

while validating a openstack-ansible deployed 'train' cloud I noticed that image sharing no longer works for non-admin users

as a non-admin user create an image:

$ openstack image create --file ~/iso/cirros-0.4.0-x86_64-disk.img --disk-format qcow2 my_image
...
| id | 5be301ee-aa4a-4365-a338-212af1e49321 |
...

share it with project with UUID 31cd824bad4e46a8b4faa02516c2b786:

$ openstack image add project 5be301ee-aa4a-4365-a338-212af1e49321 31cd824bad4e46a8b4faa02516c2b786
You are not authorized to find project with the name '31cd824bad4e46a8b4faa02516c2b786'.

extract from client debug mode:

RESP BODY: {"error":{"code":403,"message":"You are not authorized to perform the requested action: identity:get_project.","title":"Forbidden"}}

GET call to identity for https://KEYSTONE_EXT_ENDPOINT:5000/v3/projects/31cd824bad4e46a8b4faa02516c2b786 used request id req-be17950b-2f35-4e15-8032-7e9b3645ef34
Request returned failure status: 403
REQ: curl -g -i -X GET https://KEYSTONE_EXT_ENDPOINT:5000/v3/projects?name=31cd824bad4e46a8b4faa02516c2b786 -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}931765129b0b2ad132c3d606c437b6c0dca839b560f1eecfcfadd2163c2f3423"
Resetting dropped connection: KEYSTONE_EXT_ENDPOINT
https://KEYSTONE_EXT_ENDPOINT:5000 "GET /v3/projects?name=31cd824bad4e46a8b4faa02516c2b786 HTTP/1.1" 403 135
RESP: [403] Connection: close Content-Length: 135 Content-Type: application/json Date: Fri, 21 Feb 2020 12:43:17 GMT Server: nginx/1.14.0 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-a64e45d8-1777-4f35-93c9-34e70c181330
RESP BODY: {"error":{"code":403,"message":"You are not authorized to perform the requested action: identity:list_projects.","title":"Forbidden"}}

GET call to identity for https://KEYSTONE_EXT_ENDPOINT:5000/v3/projects?name=31cd824bad4e46a8b4faa02516c2b786 used request id req-a64e45d8-1777-4f35-93c9-34e70c181330
Request returned failure status: 403
You are not authorized to find project with the name '31cd824bad4e46a8b4faa02516c2b786'.

This was of course correctly rejected by keystone.

The same request does succeed if run by an admin user.

Revision history for this message
James Page (james-page) wrote :

There are alot of changes with regards to policies at Stein - I wonder whether this is related:

https://docs.openstack.org/releasenotes/keystone/stein.html

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-openstackclient (Ubuntu):
status: New → Confirmed
Revision history for this message
Roger Luethi (rl-o) wrote :

This may have been fixed already by this commit:

https://opendev.org/openstack/osc-lib/commit/1ff3720daefd98a77557e5692fd7052b5930ae6c

Revert "Add error message when occurrence Forbidden error"
This reverts commit 3c0559def3.

This patch is breaking the Glance image share function.

Change-Id: Ic380b4fdeb334b70be39fcf07670902c0bc89dd9

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.