[openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

Tom Fifield tom at openstack.org
Tue Oct 28 01:26:35 UTC 2014 

Sorry, early morning!

I can confirm that in your policy.json there is:

    "publicize_image": "role:admin",

which seems to match what's needed :)

Regards,


Tom

On 28/10/14 10:18, Jay Pipes wrote:
> Right, but as you can read below, I'm using an admin to do the operation...
> 
> Which is why I'm curious what exactly I'm supposed to do :)
> 
> -jay
> 
> On 10/27/2014 09:04 PM, Tom Fifield wrote:
>> This was covered in the release notes for glance, under "Upgrade notes":
>>
>> https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3
>>
>> * The ability to upload a public image is now admin-only by default. To
>> continue to use the previous behaviour, edit the publicize_image flag in
>> etc/policy.json to remove the role restriction.
>>
>> Regards,
>>
>>
>> Tom
>>
>> On 28/10/14 01:22, Jay Pipes wrote:
>>> Hello Glancers,
>>>
>>> Peter and I are having issues working with a Juno Glance endpoint.
>>> Specifically, a glance image-create ... --is_public=True CLI command
>>> that *was* working in our Icehouse cloud is now failing in our Juno
>>> cloud with a 403 Forbidden.
>>>
>>> The specific command in question is:
>>>
>>> glance image-create --name "cirros-0.3.2-x86_64" --file
>>> /var/tmp/cirros-0.3.2-x86_64-disk.img --disk-format qcow2
>>> --container-format bare --is_public=True
>>>
>>> If we take off the is_public=True, everything works just fine. We are
>>> executing the above command as a user with a user called "admin" having
>>> the role "admin" in a project called "admin".
>>>
>>> We have enabled debug=True conf option in both glance-api.conf and
>>> glance-registry.conf, and unfortunately, there is no log output at all,
>>> other than spitting out the configuration option settings on daemon
>>> startup and a few messages like "Loaded policy rules: ..." which don't
>>> actually provide any useful information about policy *decisions* that
>>> are made... :(
>>>
>>> Any help is most appreciated. Our policy.json file is the stock one that
>>> comes in the Ubuntu Cloud Archive glance packages, i.e.:
>>>
>>> http://paste.openstack.org/show/125420/
>>>
>>> Best,
>>> -jay
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list