I have a small Rocky installation where Glance is configured with 2 backends (old images use the 'file' backend while new ones use the rbd backend, which is the default)

show_multiple_locations is true but I have these settings in policy.json:

# grep _image_location /etc/glance/policy.json

"delete_image_location": "role:admin",

"get_image_location": "role:admin",

"set_image_location": "role:admin",

This was done because of:

https://wiki.openstack.org/wiki/OSSN/OSSN-0065

If an unpriv user tries to share a private image:

$ openstack image add project 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 e81df4c0b493439abb8b85bfd4cbe071

403 Forbidden: Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6. (HTTP 403)

In the log file it looks like that the problem is related to the get_image_location operation:

/var/log/glance/api.log:2019-04-29 16:06:54.523 8220 WARNING glance.api.v2.image_members [req-dd93cdc9-767d-4c51-8e5a-edf746c02264 ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default default] Not allowed to create members for image 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6.: Forbidden: You are not authorized to complete get_image_location action.

But actually the sharing operation succeeded:

$ glance member-list --image-id 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6

+--------------------------------------+----------------------------------+---------+

| Image ID | Member ID | Status |

+--------------------------------------+----------------------------------+---------+

| 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 | e81df4c0b493439abb8b85bfd4cbe071 | pending |

+--------------------------------------+----------------------------------+---------+

Cheers, Massimo