[glance] [ops] Issue sharing an image with another project (something related to get_image_location)

Massimo Sgaravatto massimo.sgaravatto at gmail.com
Mon Apr 29 14:43:08 UTC 2019

I have a small Rocky installation where Glance is configured with 2
backends (old images use the 'file' backend while new ones use the rbd
backend, which is the default)

show_multiple_locations  is true but I have these settings in policy.json:

# grep _image_location /etc/glance/policy.json
    "delete_image_location": "role:admin",
    "get_image_location": "role:admin",
    "set_image_location": "role:admin",

This was done because of:

If an unpriv user tries to share a private image:

$ openstack image add project 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6
403 Forbidden: Not allowed to create members for image
3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6. (HTTP 403)

In the log file it looks like that the problem is related to the
get_image_location operation:

/var/log/glance/api.log:2019-04-29 16:06:54.523 8220 WARNING
glance.api.v2.image_members [req-dd93cdc9-767d-4c51-8e5a-edf746c02264
ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default
default] Not allowed to create members for image
3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6.: Forbidden: You are not authorized to
complete get_image_location action.

But actually the sharing operation succeeded:

$ glance member-list --image-id 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6
| Image ID                             | Member ID                        |
Status  |
| 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 | e81df4c0b493439abb8b85bfd4cbe071 |
pending |

Cheers, Massimo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190429/f90f104a/attachment.html>

More information about the openstack-discuss mailing list