I have a small Rocky installation where Glance is configured with 2 backends (old images use the 'file' backend while new ones use the rbd backend, which is the default) show_multiple_locations is true but I have these settings in policy.json: # grep _image_location /etc/glance/policy.json "delete_image_location": "role:admin", "get_image_location": "role:admin", "set_image_location": "role:admin", This was done because of: https://wiki.openstack.org/wiki/OSSN/OSSN-0065 If an unpriv user tries to share a private image: $ openstack image add project 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 e81df4c0b493439abb8b85bfd4cbe071 403 Forbidden: Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6. (HTTP 403) In the log file it looks like that the problem is related to the get_image_location operation: /var/log/glance/api.log:2019-04-29 16:06:54.523 8220 WARNING glance.api.v2.image_members [req-dd93cdc9-767d-4c51-8e5a-edf746c02264 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default default] Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6.: Forbidden: You are not authorized to complete get_image_location action. But actually the sharing operation succeeded: $ glance member-list --image-id 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 +--------------------------------------+----------------------------------+---------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+---------+ | 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 | e81df4c0b493439abb8b85bfd4cbe071 | pending | +--------------------------------------+----------------------------------+---------+ Cheers, Massimo