[Yahoo-eng-team] [Bug 1596927] Re: Glance installation does not appear to detect admin role
Looks like this was a configuration problem, closing as invalid. ** Changed in: glance Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1596927 Title: Glance installation does not appear to detect admin role Status in Glance: Invalid Status in openstack-manuals: Invalid Bug description: Following the installation guide on Ubuntu 16.04 and using the provided Mitaka packages on new clean VM installation. Once I attempt to upload an image with the --public flag glance reports 403 Forbidden when using the admin account. (debug output at the end of the bug). Again this is using the ADMIN account who is in the ADMIN role of both the admin and service projects. I'm guessing this is a documentation issue and somewhere along the instructions something's not happenig in the right order. It seems that glance is not properly detecting the admin-ness of the admin account, i.e. resolving that admin is in the role admin. If I remove the "role:admin" from publicize_image in /etc/glance/policy.json, the above command works. The username and password for the glance account in /etc/glance /glance-api.conf and glance-registry.conf are correct. It seems that only those operations that require the admin role are broken. The admin user environment is set as: export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 The documented roles/projects/users are defined: root@controller:~# openstack user list +--++ | ID | Name | +--++ | 2c2f877dad19415aa2f3c410cc23f7f5 | glance | | 4200ae4f41a24e1195f1fa1f2a6bc7c8 | admin | | df223dbfc8534f089677da8002f084a2 | demo | +--++ root@controller:~# openstack role list +--+---+ | ID | Name | +--+---+ | 5958a2db1dec48a3ae8e01a2b5704080 | admin | | d75766b685a943cca51c7869fe39ee09 | user | +--+---+ root@controller:~# openstack project list +--+-+ | ID | Name| +--+-+ | 0e53ec33b2dd45adcd0a4d432512 | admin | | 24178e2444634949a96877a906ddc6f5 | demo| | 62ce2aaa1a3b4c7c855d11af43eb26a9 | service | +--+-+ root@controller:~# openstack role assignment list --names +---++---+-++---+ | Role | User | Group | Project | Domain | Inherited | +---++---+-++---+ | admin | glance@default | | service@default || False | | admin | admin@default | | admin@default || False | | admin | admin@default | | service@default || False | | user | demo@default | | demo@default|| False | +---++---+-++---+ Debug output: root@controller:~# openstack --debug image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public START with options: ['--debug', 'image', 'create', 'cirros', '--file', 'cirros-0.3.4-x86_64-disk.img', '--disk-format', 'qcow2', '--container-format', 'bare', '--public'] options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://controller:35357/v3', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='2', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='***', profile=None, project_domain_id='', project_domain_name='default', project_id='', project_name='admin', protocol='', region_name='', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='default', user_id='', username='admin', verbose_level=3, verify=None) defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', 'cacert':
[Yahoo-eng-team] [Bug 1596927] Re: Glance installation does not appear to detect admin role
Hi everyone, Launchpad is for bug reports and fixes. I recommend you go to ask.openstack.org or perhaps address your question in #openstack on Freenode. Once the issue "It seems that glance is not properly detecting the admin-ness of the admin account, i.e. resolving that admin is in the role admin. If I remove the "role:admin" from publicize_image in /etc/glance/policy.json, the above command works." has been fixed in Glance, we can reopen this and address this in the documentation. Thanks, Alex ** Changed in: openstack-manuals Status: Confirmed => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1596927 Title: Glance installation does not appear to detect admin role Status in Glance: New Status in openstack-manuals: Invalid Bug description: Following the installation guide on Ubuntu 16.04 and using the provided Mitaka packages on new clean VM installation. Once I attempt to upload an image with the --public flag glance reports 403 Forbidden when using the admin account. (debug output at the end of the bug). Again this is using the ADMIN account who is in the ADMIN role of both the admin and service projects. I'm guessing this is a documentation issue and somewhere along the instructions something's not happenig in the right order. It seems that glance is not properly detecting the admin-ness of the admin account, i.e. resolving that admin is in the role admin. If I remove the "role:admin" from publicize_image in /etc/glance/policy.json, the above command works. The username and password for the glance account in /etc/glance /glance-api.conf and glance-registry.conf are correct. It seems that only those operations that require the admin role are broken. The admin user environment is set as: export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 The documented roles/projects/users are defined: root@controller:~# openstack user list +--++ | ID | Name | +--++ | 2c2f877dad19415aa2f3c410cc23f7f5 | glance | | 4200ae4f41a24e1195f1fa1f2a6bc7c8 | admin | | df223dbfc8534f089677da8002f084a2 | demo | +--++ root@controller:~# openstack role list +--+---+ | ID | Name | +--+---+ | 5958a2db1dec48a3ae8e01a2b5704080 | admin | | d75766b685a943cca51c7869fe39ee09 | user | +--+---+ root@controller:~# openstack project list +--+-+ | ID | Name| +--+-+ | 0e53ec33b2dd45adcd0a4d432512 | admin | | 24178e2444634949a96877a906ddc6f5 | demo| | 62ce2aaa1a3b4c7c855d11af43eb26a9 | service | +--+-+ root@controller:~# openstack role assignment list --names +---++---+-++---+ | Role | User | Group | Project | Domain | Inherited | +---++---+-++---+ | admin | glance@default | | service@default || False | | admin | admin@default | | admin@default || False | | admin | admin@default | | service@default || False | | user | demo@default | | demo@default|| False | +---++---+-++---+ Debug output: root@controller:~# openstack --debug image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public START with options: ['--debug', 'image', 'create', 'cirros', '--file', 'cirros-0.3.4-x86_64-disk.img', '--disk-format', 'qcow2', '--container-format', 'bare', '--public'] options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://controller:35357/v3', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='2', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='***', profile=None, project_domain_id='', project_domain_name='default', project_id='',
[Yahoo-eng-team] [Bug 1596927] Re: Glance installation does not appear to detect admin role
I am also seeing this issue on Ubuntu Xenial (16.04.1) using the stable/Newton branch. ** Also affects: glance Importance: Undecided Status: New ** Changed in: openstack-manuals Status: Opinion => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1596927 Title: Glance installation does not appear to detect admin role Status in Glance: New Status in openstack-manuals: Confirmed Bug description: Following the installation guide on Ubuntu 16.04 and using the provided Mitaka packages on new clean VM installation. Once I attempt to upload an image with the --public flag glance reports 403 Forbidden when using the admin account. (debug output at the end of the bug). Again this is using the ADMIN account who is in the ADMIN role of both the admin and service projects. I'm guessing this is a documentation issue and somewhere along the instructions something's not happenig in the right order. It seems that glance is not properly detecting the admin-ness of the admin account, i.e. resolving that admin is in the role admin. If I remove the "role:admin" from publicize_image in /etc/glance/policy.json, the above command works. The username and password for the glance account in /etc/glance /glance-api.conf and glance-registry.conf are correct. It seems that only those operations that require the admin role are broken. The admin user environment is set as: export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 The documented roles/projects/users are defined: root@controller:~# openstack user list +--++ | ID | Name | +--++ | 2c2f877dad19415aa2f3c410cc23f7f5 | glance | | 4200ae4f41a24e1195f1fa1f2a6bc7c8 | admin | | df223dbfc8534f089677da8002f084a2 | demo | +--++ root@controller:~# openstack role list +--+---+ | ID | Name | +--+---+ | 5958a2db1dec48a3ae8e01a2b5704080 | admin | | d75766b685a943cca51c7869fe39ee09 | user | +--+---+ root@controller:~# openstack project list +--+-+ | ID | Name| +--+-+ | 0e53ec33b2dd45adcd0a4d432512 | admin | | 24178e2444634949a96877a906ddc6f5 | demo| | 62ce2aaa1a3b4c7c855d11af43eb26a9 | service | +--+-+ root@controller:~# openstack role assignment list --names +---++---+-++---+ | Role | User | Group | Project | Domain | Inherited | +---++---+-++---+ | admin | glance@default | | service@default || False | | admin | admin@default | | admin@default || False | | admin | admin@default | | service@default || False | | user | demo@default | | demo@default|| False | +---++---+-++---+ Debug output: root@controller:~# openstack --debug image create "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public START with options: ['--debug', 'image', 'create', 'cirros', '--file', 'cirros-0.3.4-x86_64-disk.img', '--disk-format', 'qcow2', '--container-format', 'bare', '--public'] options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://controller:35357/v3', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', log_file=None, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='2', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='***', profile=None, project_domain_id='', project_domain_name='default', project_id='', project_name='admin', protocol='', region_name='', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='default', user_id='', username='admin', verbose_level=3, verify=None) defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None,