[openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

Nikhil Komawar nikhil.komawar at RACKSPACE.COM
Fri Oct 31 18:34:27 UTC 2014 

>> Did you test this with an admin user?
Yes, did test it with an admin user.

>> may be caused by an upgrade from Icehouse -> Juno.
Possibly, good point.

Thanks,
-Nikhil

________________________________________
From: Flavio Percoco [flavio at redhat.com]
Sent: Friday, October 31, 2014 4:03 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

On 31/10/14 04:57 +0000, Nikhil Komawar wrote:
>Hi Jay,
>
>Wanted to clarify a few things around this:
>
>1. are you using --is_public or --is-public option?
>2. are you using stable/juno branch or it is a rc(1/2/3) from ubuntu packages?
>
>After trying out:
>
>glance image-create --is-public=True --disk-format qcow2 --container-format bare --name foobar --name foobar --file /opt/stack/data/glance/images/5be32fc4-e063-4032-b248-516c7ab7116b
>
>the command seems to be working on the latest devstack setup with the branch stable/juno used for glance.

Did you test this with an admin user?

>The policy file in your paste looks fine too.
>
>As nothing out of the ordinary seems to be wrong, hope this intuitive suggestion helps: the filesystem store config may be mismatched (possibly there are 2 options).


I haven't had the chance to test this but my guess is that Jay's issue
may be caused by an upgrade from Icehouse -> Juno.

I'll hopefully be able to give this a try today.
Fla.

>
>Thanks,
>-Nikhil
>
>________________________________________
>From: Tom Fifield [tom at openstack.org]
>Sent: Monday, October 27, 2014 9:26 PM
>To: openstack-dev at lists.openstack.org
>Subject: Re: [openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno
>
>Sorry, early morning!
>
>I can confirm that in your policy.json there is:
>
>    "publicize_image": "role:admin",
>
>which seems to match what's needed :)
>
>Regards,
>
>
>Tom
>
>On 28/10/14 10:18, Jay Pipes wrote:
>> Right, but as you can read below, I'm using an admin to do the operation...
>>
>> Which is why I'm curious what exactly I'm supposed to do :)
>>
>> -jay
>>
>> On 10/27/2014 09:04 PM, Tom Fifield wrote:
>>> This was covered in the release notes for glance, under "Upgrade notes":
>>>
>>> https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3
>>>
>>> * The ability to upload a public image is now admin-only by default. To
>>> continue to use the previous behaviour, edit the publicize_image flag in
>>> etc/policy.json to remove the role restriction.
>>>
>>> Regards,
>>>
>>>
>>> Tom
>>>
>>> On 28/10/14 01:22, Jay Pipes wrote:
>>>> Hello Glancers,
>>>>
>>>> Peter and I are having issues working with a Juno Glance endpoint.
>>>> Specifically, a glance image-create ... --is_public=True CLI command
>>>> that *was* working in our Icehouse cloud is now failing in our Juno
>>>> cloud with a 403 Forbidden.
>>>>
>>>> The specific command in question is:
>>>>
>>>> glance image-create --name "cirros-0.3.2-x86_64" --file
>>>> /var/tmp/cirros-0.3.2-x86_64-disk.img --disk-format qcow2
>>>> --container-format bare --is_public=True
>>>>
>>>> If we take off the is_public=True, everything works just fine. We are
>>>> executing the above command as a user with a user called "admin" having
>>>> the role "admin" in a project called "admin".
>>>>
>>>> We have enabled debug=True conf option in both glance-api.conf and
>>>> glance-registry.conf, and unfortunately, there is no log output at all,
>>>> other than spitting out the configuration option settings on daemon
>>>> startup and a few messages like "Loaded policy rules: ..." which don't
>>>> actually provide any useful information about policy *decisions* that
>>>> are made... :(
>>>>
>>>> Any help is most appreciated. Our policy.json file is the stock one that
>>>> comes in the Ubuntu Cloud Archive glance packages, i.e.:
>>>>
>>>> http://paste.openstack.org/show/125420/
>>>>
>>>> Best,
>>>> -jay
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
@flaper87
Flavio Percoco

More information about the OpenStack-dev mailing list