[Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] michael.d.moore at nasa.gov
Thu Oct 18 22:11:40 UTC 2018 

I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.



Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
Michael.D.Moore at nasa.gov
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:

    Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
    
    In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
    
    Mike Moore, M.S.S.E.
     
    Systems Engineer, Goddard Private Cloud
    Michael.D.Moore at nasa.gov
     
    Hydrogen fusion brightens my day.
     
    
    On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
    
        
        
        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS 
        INTEGRA, INC.] wrote:
        > I’m seeing unexpected behavior in our Queens environment related to 
        > Glance image visibility. Specifically users who, based on my 
        > understanding of the visibility and ownership fields, should NOT be able 
        > to see or view the image.
        > 
        > If I create a new image with openstack image create and specify –project 
        > <tenant> and –private a non-admin user in a different tenant can see and 
        > boot that image.
        > 
        > That seems to be the opposite of what should happen. Any ideas?
        
        Yep, something's not right there.
        
        Are you sure that the user that can see the image doesn't have the admin 
        role (for the project in its keystone token) ?
        
        Did you verify that the image's owner is what you intended, and that the 
        visibility really is "private" ?
        
             ~iain
        
        _______________________________________________
        OpenStack-operators mailing list
        OpenStack-operators at lists.openstack.org
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
        
    
    _______________________________________________
    OpenStack-operators mailing list
    OpenStack-operators at lists.openstack.org
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list