Open Stack

I have a small Rocky installation where Glance is configured with 2
backends (old images use the 'file' backend while new ones use the rbd
backend, which is the default)


show_multiple_locations  is true but I have these settings in policy.json:

# grep _image_location /etc/glance/policy.json
    "delete_image_location": "role:admin",
    "get_image_location": "role:admin",
    "set_image_location": "role:admin",

This was done because of:
https://wiki.openstack.org/wiki/OSSN/OSSN-0065


If an unpriv user tries to share a private image:

$ openstack image add project 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6
e81df4c0b493439abb8b85bfd4cbe071
403 Forbidden: Not allowed to create members for image
3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6. (HTTP 403)

In the log file it looks like that the problem is related to the
get_image_location operation:

/var/log/glance/api.log:2019-04-29 16:06:54.523 8220 WARNING
glance.api.v2.image_members [req-dd93cdc9-767d-4c51-8e5a-edf746c02264
ab573ba3ea014b778193b6922ffffe6d ee1865a76440481cbcff08544c7d580a - default
default] Not allowed to create members for image
3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6.: Forbidden: You are not authorized to
complete get_image_location action.


But actually the sharing operation succeeded:

$ glance member-list --image-id 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6
+--------------------------------------+----------------------------------+---------+
| Image ID                             | Member ID                        |
Status  |
+--------------------------------------+----------------------------------+---------+
| 3194a04b-ffc8-4aaf-b6c8-adc24e3d3fe6 | e81df4c0b493439abb8b85bfd4cbe071 |
pending |
+--------------------------------------+----------------------------------+---------+


Cheers, Massimo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190429/f90f104a/attachment.html>