Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
I have dug deep into the code for glance, shoving debug outputs to see what I
can find in our queens environment.
Here is my debug code (I have a lot more but this is the salient part)
LOG.debug("in enforce(), action='%s', policyvalues='%s'", action,
context.to_policy_values())
return super(Enforcer, self).enforce(action, target,
context.to_policy_values(),
do_raise=True,
exc=exception.Forbidden,
action=action)
below is the output attempting to set an image that I own while being an admin
to public via `openstack image set –public cirros`
2018-10-25 18:29:16.575 17561 DEBUG glance.api.policy
[req-e343bb10-8ec8-40df-8c0c-47d1b217ca0d - - - - -] in enforce(),
action='publicize_image', policyvalues='{'service_roles': [], 'user_id': None,
'roles': [], 'user_domain_id': None, 'service_project_id': None,
'service_user_id': None, 'service_user_domain_id': None,
'service_project_domain_id': None, 'is_admin_project': True, 'user': None,
'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce
/usr/lib/python2.7/site-packages/glance/api/policy.py:64
And here is what shows up when I `openstack image list` as our test user
(`jonathan`) that is NOT an admin
2018-10-25 18:32:24.841 17564 DEBUG glance.api.policy
[req-22abdcf2-14cd-4680-8deb-e48902a7ddef - - - - -] in enforce(),
action='get_images', policyvalues='{'service_roles': [], 'user_id': None,
'roles': [], 'user_domain_id': None, 'service_project_id': None,
'service_user_id': None, 'service_user_domain_id': None,
'service_project_domain_id': None, 'is_admin_project': True, 'user': None,
'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce
/usr/lib/python2.7/site-packages/glance/api/policy.py:64
The takeaway that I have is that in the case of get_images, is_admin_project is
True, which is WRONG for that test but since it’s a read-only operation it’s
content to shortcircuit and return all those images.
In the case of publicize_image, the is_admin_project being True isn’t enough,
and when it checks user (which is None) it says NOPE.
So somehow for some reason glance APIs context is super duper wrong.
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
For reference, here is our full glance policy.json
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"communitize_image": "",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "",
"get_tasks": "",
"add_task": "",
"modify_task": "",
"tasks_api_access": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
INC.]" wrote:
Our NDC domain is LDAP backed. Default is not.
Our keystone policy.json file is empty {}
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
On 10/18/18, 7:24 PM, "Chris Apsey" wrote:
We are using multiple keystone domains - still can't reproduce this.
Do you happen to have a customized keystone policy.json?
Worst case, I would launch a devstack of your targeted release. If you
can't reproduce the issue there, you would at least know its caused by
a
nonstandard config rather than a bug (or at least not a bug that's
present
when using a default config)
On October 18, 2018 18:50:12 iain MacDonnell
wrote:
> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line
in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a
factor...
>
> ~iain
>
>
> $ openstack user create --password foo user1
> +-+--+
> | Field | Value|
> +-+--+
> | domain_id | default |
> | enabled | True |
> | id | d18c0031ec56430499a2d690cb1f125c |
> | name| user1|
> | options | {} |
> | password_expires_at | None |
> +-+--+
> $ openstack user create --password foo user2
> +-+--+
> | Field | Value|
> +-+--+
> | domain_id | default |
> | enabled | True |
> | id | be9f1061a5104abd834eabe98dff055d |
> | name| user2|
> | options | {} |
> | password_expires_at | None |
> +-+--+
> $ openstack project create project1
> +-+--+
> | Field | Value|
> +-+--+
> | description | |
> | domain_id | default |
> | enabled | True |
> | id | 826876d6d3724018bae6253c7f540cb3
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
Our NDC domain is LDAP backed. Default is not.
Our keystone policy.json file is empty {}
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
On 10/18/18, 7:24 PM, "Chris Apsey" wrote:
We are using multiple keystone domains - still can't reproduce this.
Do you happen to have a customized keystone policy.json?
Worst case, I would launch a devstack of your targeted release. If you
can't reproduce the issue there, you would at least know its caused by a
nonstandard config rather than a bug (or at least not a bug that's present
when using a default config)
On October 18, 2018 18:50:12 iain MacDonnell
wrote:
> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a
factor...
>
> ~iain
>
>
> $ openstack user create --password foo user1
> +-+--+
> | Field | Value|
> +-+--+
> | domain_id | default |
> | enabled | True |
> | id | d18c0031ec56430499a2d690cb1f125c |
> | name| user1|
> | options | {} |
> | password_expires_at | None |
> +-+--+
> $ openstack user create --password foo user2
> +-+--+
> | Field | Value|
> +-+--+
> | domain_id | default |
> | enabled | True |
> | id | be9f1061a5104abd834eabe98dff055d |
> | name| user2|
> | options | {} |
> | password_expires_at | None |
> +-+--+
> $ openstack project create project1
> +-+--+
> | Field | Value|
> +-+--+
> | description | |
> | domain_id | default |
> | enabled | True |
> | id | 826876d6d3724018bae6253c7f540cb3 |
> | is_domain | False|
> | name| project1 |
> | parent_id | default |
> | tags| [] |
> +-+--+
> $ openstack project create project2
> +-+--+
> | Field | Value|
> +-+--+
> | description | |
> | domain_id | default |
> | enabled | True |
> | id | b446b93ac6e24d538c1943acbdd13cb2 |
> | is_domain | False|
> | name| project2 |
> | parent_id | default |
> | tags| [] |
> +-+--+
> $ openstack role add --user user1 --project project1 _member_
> $ openstack role add --user user2 --project project2 _member_
> $ export OS_PASSWORD=foo
> $ export OS_USERNAME=user1
> $ export OS_PROJECT_NAME=project1
> $ openstack image list
> +--+++
> | ID | Name | Status |
> +--+++
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--+++
> $ openstack image create --private image1
>
+--+--+
> | Field| Value
> |
>
+--+--+
> |
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
We are using multiple keystone domains - still can't reproduce this.
Do you happen to have a customized keystone policy.json?
Worst case, I would launch a devstack of your targeted release. If you
can't reproduce the issue there, you would at least know its caused by a
nonstandard config rather than a bug (or at least not a bug that's present
when using a default config)
On October 18, 2018 18:50:12 iain MacDonnell
wrote:
That all looks fine.
I believe that the "default" policy applies in place of any that's not
explicitly specified - i.e. "if there's no matching policy below, you
need to have the admin role to be able to do it". I do have that line in
my policy.json, and I cannot reproduce your problem (see below).
I'm not using domains (other than "default"). I wonder if that's a factor...
~iain
$ openstack user create --password foo user1
+-+--+
| Field | Value|
+-+--+
| domain_id | default |
| enabled | True |
| id | d18c0031ec56430499a2d690cb1f125c |
| name| user1|
| options | {} |
| password_expires_at | None |
+-+--+
$ openstack user create --password foo user2
+-+--+
| Field | Value|
+-+--+
| domain_id | default |
| enabled | True |
| id | be9f1061a5104abd834eabe98dff055d |
| name| user2|
| options | {} |
| password_expires_at | None |
+-+--+
$ openstack project create project1
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | 826876d6d3724018bae6253c7f540cb3 |
| is_domain | False|
| name| project1 |
| parent_id | default |
| tags| [] |
+-+--+
$ openstack project create project2
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | b446b93ac6e24d538c1943acbdd13cb2 |
| is_domain | False|
| name| project2 |
| parent_id | default |
| tags| [] |
+-+--+
$ openstack role add --user user1 --project project1 _member_
$ openstack role add --user user2 --project project2 _member_
$ export OS_PASSWORD=foo
$ export OS_USERNAME=user1
$ export OS_PROJECT_NAME=project1
$ openstack image list
+--+++
| ID | Name | Status |
+--+++
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--+++
$ openstack image create --private image1
+--+--+
| Field| Value
|
+--+--+
| checksum | None
|
| container_format | bare
|
| created_at | 2018-10-18T22:17:41Z
|
| disk_format | raw
|
| file |
/v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
|
| id | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
|
| min_disk | 0
|
| min_ram | 0
|
| name | image1
|
| owner| 826876d6d3724018bae6253c7f540cb3
|
| properties | locations='[]', os_hash_algo='None',
os_hash_value='None', os_hidden='False' |
| protected| False
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
That all looks fine.
I believe that the "default" policy applies in place of any that's not
explicitly specified - i.e. "if there's no matching policy below, you
need to have the admin role to be able to do it". I do have that line in
my policy.json, and I cannot reproduce your problem (see below).
I'm not using domains (other than "default"). I wonder if that's a factor...
~iain
$ openstack user create --password foo user1
+-+--+
| Field | Value|
+-+--+
| domain_id | default |
| enabled | True |
| id | d18c0031ec56430499a2d690cb1f125c |
| name| user1|
| options | {} |
| password_expires_at | None |
+-+--+
$ openstack user create --password foo user2
+-+--+
| Field | Value|
+-+--+
| domain_id | default |
| enabled | True |
| id | be9f1061a5104abd834eabe98dff055d |
| name| user2|
| options | {} |
| password_expires_at | None |
+-+--+
$ openstack project create project1
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | 826876d6d3724018bae6253c7f540cb3 |
| is_domain | False|
| name| project1 |
| parent_id | default |
| tags| [] |
+-+--+
$ openstack project create project2
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | b446b93ac6e24d538c1943acbdd13cb2 |
| is_domain | False|
| name| project2 |
| parent_id | default |
| tags| [] |
+-+--+
$ openstack role add --user user1 --project project1 _member_
$ openstack role add --user user2 --project project2 _member_
$ export OS_PASSWORD=foo
$ export OS_USERNAME=user1
$ export OS_PROJECT_NAME=project1
$ openstack image list
+--+++
| ID | Name | Status |
+--+++
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--+++
$ openstack image create --private image1
+--+--+
| Field| Value
|
+--+--+
| checksum | None
|
| container_format | bare
|
| created_at | 2018-10-18T22:17:41Z
|
| disk_format | raw
|
| file |
/v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
|
| id | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
|
| min_disk | 0
|
| min_ram | 0
|
| name | image1
|
| owner| 826876d6d3724018bae6253c7f540cb3
|
| properties | locations='[]', os_hash_algo='None',
os_hash_value='None', os_hidden='False' |
| protected| False
|
| schema | /v2/schemas/image
|
| size | None
|
| status | queued
|
| tags |
|
| updated_at | 2018-10-18T22:17:41Z
|
| virtual_size | None
|
| visibility | private
|
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
openstack user create --domain default --password --project-domain ndc
--project test mike
openstack role add --user mike --user-domain default --project test user
my admin account is in the NDC domain with a different username.
/etc/glance/policy.json
{
"context_is_admin": "role:admin",
"default": "role:admin",
I'm not terribly familiar with the policies but I feel like that default line
is making everyone an admin by default?
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
On 10/18/18, 6:25 PM, "iain MacDonnell" wrote:
I suspect that your non-admin user is not really non-admin. How did you
create it?
What you have for "context_is_admin" in glance's policy.json ?
~iain
On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:
> I have replicated this unexpected behavior in a Pike test environment, in
addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> michael.d.mo...@nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
INC.]" wrote:
>
> Yes. I verified it by creating a non-admin user in a different
tenant. I created a new image, set to private with the project defined as our
admin tenant.
>
> In the database I can see that the image is 'private' and the owner
is the ID of the admin tenant.
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> michael.d.mo...@nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 1:07 AM, "iain MacDonnell"
wrote:
>
>
>
> On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
> > I’m seeing unexpected behavior in our Queens environment
related to
> > Glance image visibility. Specifically users who, based on my
> > understanding of the visibility and ownership fields, should
NOT be able
> > to see or view the image.
> >
> > If I create a new image with openstack image create and
specify –project
> > and –private a non-admin user in a different tenant
can see and
> > boot that image.
> >
> > That seems to be the opposite of what should happen. Any ideas?
>
> Yep, something's not right there.
>
> Are you sure that the user that can see the image doesn't have
the admin
> role (for the project in its keystone token) ?
>
> Did you verify that the image's owner is what you intended, and
that the
> visibility really is "private" ?
>
> ~iain
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators=DwIGaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE=
>
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators=DwIGaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE=
>
>
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
I suspect that your non-admin user is not really non-admin. How did you create it? What you have for "context_is_admin" in glance's policy.json ? ~iain On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] wrote: I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" wrote: Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant. In the database I can see that the image is 'private' and the owner is the ID of the admin tenant. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 1:07 AM, "iain MacDonnell" wrote: On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] wrote: > I’m seeing unexpected behavior in our Queens environment related to > Glance image visibility. Specifically users who, based on my > understanding of the visibility and ownership fields, should NOT be able > to see or view the image. > > If I create a new image with openstack image create and specify –project > and –private a non-admin user in a different tenant can see and > boot that image. > > That seems to be the opposite of what should happen. Any ideas? Yep, something's not right there. Are you sure that the user that can see the image doesn't have the admin role (for the project in its keystone token) ? Did you verify that the image's owner is what you intended, and that the visibility really is "private" ? ~iain ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators=DwIGaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE= ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators=DwIGaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE= ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
Do you have a liberal/custom policy.json that perhaps is causing unexpected behavior? Can't seem to reproduce this. On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" wrote: I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" wrote: Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant. In the database I can see that the image is 'private' and the owner is the ID of the admin tenant. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 1:07 AM, "iain MacDonnell" wrote: On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] wrote: I’m seeing unexpected behavior in our Queens environment related to Glance image visibility. Specifically users who, based on my understanding of the visibility and ownership fields, should NOT be able to see or view the image. If I create a new image with openstack image create and specify –project and –private a non-admin user in a different tenant can see and boot that image. That seems to be the opposite of what should happen. Any ideas? Yep, something's not right there. Are you sure that the user that can see the image doesn't have the admin role (for the project in its keystone token) ? Did you verify that the image's owner is what you intended, and that the visibility really is "private" ? ~iain ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" wrote: Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant. In the database I can see that the image is 'private' and the owner is the ID of the admin tenant. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 1:07 AM, "iain MacDonnell" wrote: On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] wrote: > I’m seeing unexpected behavior in our Queens environment related to > Glance image visibility. Specifically users who, based on my > understanding of the visibility and ownership fields, should NOT be able > to see or view the image. > > If I create a new image with openstack image create and specify –project > and –private a non-admin user in a different tenant can see and > boot that image. > > That seems to be the opposite of what should happen. Any ideas? Yep, something's not right there. Are you sure that the user that can see the image doesn't have the admin role (for the project in its keystone token) ? Did you verify that the image's owner is what you intended, and that the visibility really is "private" ? ~iain ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] wrote: I’m seeing unexpected behavior in our Queens environment related to Glance image visibility. Specifically users who, based on my understanding of the visibility and ownership fields, should NOT be able to see or view the image. If I create a new image with openstack image create and specify –project and –private a non-admin user in a different tenant can see and boot that image. That seems to be the opposite of what should happen. Any ideas? Yep, something's not right there. Are you sure that the user that can see the image doesn't have the admin role (for the project in its keystone token) ? Did you verify that the image's owner is what you intended, and that the visibility really is "private" ? ~iain ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
