<div dir="ltr">Hi Tom,<div><br></div><div>Thanks for the note. The contents of my policy.json file were already the same as what the commit suggests:</div><div><br></div><div><a href="https://review.openstack.org/#/c/28048/3/etc/policy.json">https://review.openstack.org/#/c/28048/3/etc/policy.json</a><br>
</div><div><br></div><div>It looks like the default policy.json file that comes with the Ubuntu Havana Glance package does not need modified. Upgrading to Havana might require that line to be added, though, and the Havana release notes correctly reflect that.</div>
<div><br></div><div>However, given all of that, this does not seem to resolve the issue. </div><div><br></div><div>Are there other policy modifications that need made? Or any other role modifications in general?</div><div>
<br></div><div>Thanks,</div><div>Joe</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jan 21, 2014 at 10:39 AM, Hancock, Tom (HP Cloud Services) <span dir="ltr"><<a href="mailto:Tom.Hancock@hp.com" target="_blank">Tom.Hancock@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We fell over something like this previously. Upon investigation it turned out to<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">be due to not setting a ‘context_is_admin’ rule in /etc/glance/policy.json.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Check change id
</span>Ide2cf604b48f24bd759ce2d65091ff546cd9d22e<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">for why this is now necessary in Havana.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I hope this helps,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Tom<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt;font-family:"Calibri","sans-serif";color:#1f497d">---<br>
<br>
Tomas Hancock, HP Converged Cloud, Hewlett Packard, Galway. Ireland <a href="tel:%2B353-91-754765" value="+35391754765" target="_blank">+353-91-754765</a><br>
<br>
Postal Address : Hewlett Packard Galway Limited, European Software Centre, Ballybrit Business Park, Galway, Ireland<br>
Registered Office: Hewlett Packard Galway Limited, 63-74 Sir John Rogerson's Quay, Dublin 2 Registered Number: 361933<br>
<br>
The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error you should delete it from your system immediately and advise the sender. To any recipient of this message within
HP, unless otherwise stated, you should consider this message and attachments as "HP CONFIDENTIAL".</span><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Joe Topjian [mailto:<a href="mailto:joe@topjian.net" target="_blank">joe@topjian.net</a>]
<br>
<b>Sent:</b> 21 January 2014 07:11<br>
<b>To:</b> Scott Devoid<br>
<b>Cc:</b> <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a> Openstack</span></p><div><div class="h5"><br>
<b>Subject:</b> Re: [Openstack] Private images are not displayed in Horizon<u></u><u></u></div></div><p></p>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">I agree that this is a big deal. I also agree that I don't want to deploy Havana until this is resolved.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Worst case scenario: User 1 creates an instance that contains sensitive information then creates a snapshot for backup purposes. User 2 sees User 1's snapshot and launches it. <u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Can any of the Glance devs chime in on this? Can you confirm reproduction of the issue we have described and explain what's going on here?<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Tue, Jan 21, 2014 at 12:04 AM, Scott Devoid <<a href="mailto:devoid@anl.gov" target="_blank">devoid@anl.gov</a>> wrote:<u></u><u></u></p>
<div>
<p class="MsoNormal">Yup, this is a big deal for us. I can't realistically deploy Havana to my users until this is resolved.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Note that my bug reports also cover a number of other undesirable behaviors on the part of glance(-client).<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">- No checking of the "owner" field against keystone.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">- Listing images does not query for "owner" tenant or username field at the SQL level.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">- By default images are not given an "owner" with "glance image-create".<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Presumably there is something wrong with my configuration, but I've followed the Ubuntu installation guide. [1]<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Any help would be appreciated. Otherwise I'll probably disable public access to glance. :(<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">~ Scott<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">[1] <a href="http://docs.openstack.org/havana/install-guide/install/apt/content/" target="_blank">http://docs.openstack.org/havana/install-guide/install/apt/content/</a><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Mon, Jan 20, 2014 at 1:22 PM, Joe Topjian <<a href="mailto:joe@topjian.net" target="_blank">joe@topjian.net</a>> wrote:<u></u><u></u></p>
<div>
<p class="MsoNormal">I'm running into a similar issue. <u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">In a fresh Ubuntu 12.04 Havana environment, do the following, either as an admin user or regular user:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">glance image-create --name "CirrOS 1" --disk-format qcow2 --container-format bare --is-public true < cirros-0.3.1-x86_64-disk.img<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">glance image-list<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">glance image-create --name "CirrOS 2" --disk-format qcow2 --container-format bare --is-public false < cirros-0.3.1-x86_64-disk.img<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">glance image-list<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Prior to Havana, the second image-list would display two images: CirrOS 1 and CirrOS 2. Now only the public image is being displayed. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Additionally, Horizon is only showing one image under Public and no images under "Project".<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Someone opened a bug report about this here (<a href="https://bugs.launchpad.net/glance/+bug/1245865" target="_blank">https://bugs.launchpad.net/glance/+bug/1245865</a>) but it was closed. I think it should be re-opened.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This next part probably isn't very good:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">glance image-list --is-public=False<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This will display CirrOS 2. But switch to another user in another tenant and run the command again. CirrOS 2 is still shown. Create a third user in a third tenant, upload CirrOS 3 as private, switch back to user 2, and run the command again.
Both private images are shown.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">This is the behavior that Scott is describing in this bug report:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="https://bugs.launchpad.net/glance/+bug/1258342" target="_blank">https://bugs.launchpad.net/glance/+bug/1258342</a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">So either this is a serious bug in Glance or the way to store and hide images in Glance has changed -- but I have found no documentation supporting that.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888">Joe<u></u><u></u></span></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Mon, Jan 20, 2014 at 4:46 PM, Narayanan, Krishnaprasad <<a href="mailto:narayana@uni-mainz.de" target="_blank">narayana@uni-mainz.de</a>> wrote:<u></u><u></u></p>
<p class="MsoNormal">Hallo all,<br>
<br>
Thanks for your response about the problem "Private images aren't displayed in Horizon".<br>
<br>
Can I know does this bug exist and if not, can I know the procedure for raising it as a bug?<br>
<br>
Best regards,<br>
Krishnaprasad<br>
<br>
-----Original Message-----<br>
From: Jay Pipes [mailto:<a href="mailto:jaypipes@gmail.com" target="_blank">jaypipes@gmail.com</a>]<br>
Sent: Donnerstag, 16. Januar 2014 16:30<br>
To: Narayanan, Krishnaprasad<br>
Cc: Li Ma; <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Subject: Re: [Openstack] Private images are not displayed in Horizon<br>
<br>
On Thu, 2014-01-16 at 13:59 +0000, Narayanan, Krishnaprasad wrote:<br>
> Hi,<br>
><br>
> The problem that I am facing is as the user who uploaded the image, I am unable to see it in the users account.<br>
<br>
If this is indeed the case, then that is a bug.<br>
<br>
However... make really sure that you are indeed logged in as the tenant that added the image. If you are using something like nova image-list to see your images, ensure that you are not using a cached tenant token by issuing the nova image-list commands with
the --no-cache CLI option.<br>
<br>
To set the image as a public image, as an admin, issue the following command with the glance CLI tool:<br>
<br>
glance image-update --is-public=True <IMAGE_UUID><br>
<br>
Best,<br>
-jay<br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>