'image add project' fails to find project for non-admin user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-openstackclient (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
while validating a openstack-ansible deployed 'train' cloud I noticed that image sharing no longer works for non-admin users
as a non-admin user create an image:
$ openstack image create --file ~/iso/cirros-
...
| id | 5be301ee-
...
share it with project with UUID 31cd824bad4e46a
$ openstack image add project 5be301ee-
You are not authorized to find project with the name '31cd824bad4e46
extract from client debug mode:
RESP BODY: {"error"
GET call to identity for https:/
Request returned failure status: 403
REQ: curl -g -i -X GET https:/
Resetting dropped connection: KEYSTONE_
https:/
RESP: [403] Connection: close Content-Length: 135 Content-Type: application/json Date: Fri, 21 Feb 2020 12:43:17 GMT Server: nginx/1.14.0 (Ubuntu) Vary: X-Auth-Token x-openstack-
RESP BODY: {"error"
GET call to identity for https:/
Request returned failure status: 403
You are not authorized to find project with the name '31cd824bad4e46
This was of course correctly rejected by keystone.
The same request does succeed if run by an admin user.
There are alot of changes with regards to policies at Stein - I wonder whether this is related:
https:/ /docs.openstack .org/releasenot es/keystone/ stein.html