openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
openstack role add --user mike --user-domain default --project test user my admin account is in the NDC domain with a different username. /etc/glance/policy.json { "context_is_admin": "role:admin", "default": "role:admin", <snip> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default? Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonn...@oracle.com> wrote: I suspect that your non-admin user is not really non-admin. How did you create it? What you have for "context_is_admin" in glance's policy.json ? ~iain On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] wrote: > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment. > > > > Mike Moore, M.S.S.E. > > Systems Engineer, Goddard Private Cloud > michael.d.mo...@nasa.gov > > Hydrogen fusion brightens my day. > > > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.mo...@nasa.gov> wrote: > > Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant. > > In the database I can see that the image is 'private' and the owner is the ID of the admin tenant. > > Mike Moore, M.S.S.E. > > Systems Engineer, Goddard Private Cloud > michael.d.mo...@nasa.gov > > Hydrogen fusion brightens my day. > > > On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonn...@oracle.com> wrote: > > > > On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS > INTEGRA, INC.] wrote: > > I’m seeing unexpected behavior in our Queens environment related to > > Glance image visibility. Specifically users who, based on my > > understanding of the visibility and ownership fields, should NOT be able > > to see or view the image. > > > > If I create a new image with openstack image create and specify –project > > <tenant> and –private a non-admin user in a different tenant can see and > > boot that image. > > > > That seems to be the opposite of what should happen. Any ideas? > > Yep, something's not right there. > > Are you sure that the user that can see the image doesn't have the admin > role (for the project in its keystone token) ? > > Did you verify that the image's owner is what you intended, and that the > visibility really is "private" ? > > ~iain > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e= > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e= > > _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators