[Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Chris Apsey bitskrieg at bitskrieg.net
Thu Oct 18 22:23:35 UTC 2018 

Do you have a liberal/custom policy.json that perhaps is causing unexpected 
behavior?  Can't seem to reproduce this.

On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS 
INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:

> I have replicated this unexpected behavior in a Pike test environment, in 
> addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, 
> INC.]" <michael.d.moore at nasa.gov> wrote:
>
>    Yes. I verified it by creating a non-admin user in a different tenant. I 
>    created a new image, set to private with the project defined as our admin 
>    tenant.
>
>    In the database I can see that the image is 'private' and the owner is the 
>    ID of the admin tenant.
>
>    Mike Moore, M.S.S.E.
>
>    Systems Engineer, Goddard Private Cloud
>    Michael.D.Moore at nasa.gov
>
>    Hydrogen fusion brightens my day.
>
>
>    On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>
>
>
>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>        INTEGRA, INC.] wrote:
>> I’m seeing unexpected behavior in our Queens environment related to
>> Glance image visibility. Specifically users who, based on my
>> understanding of the visibility and ownership fields, should NOT be able
>> to see or view the image.
>>
>> If I create a new image with openstack image create and specify –project
>> <tenant> and –private a non-admin user in a different tenant can see and
>> boot that image.
>>
>> That seems to be the opposite of what should happen. Any ideas?
>
>        Yep, something's not right there.
>
>        Are you sure that the user that can see the image doesn't have the admin
>        role (for the project in its keystone token) ?
>
>        Did you verify that the image's owner is what you intended, and that the
>        visibility really is "private" ?
>
>             ~iain
>
>        _______________________________________________
>        OpenStack-operators mailing list
>        OpenStack-operators at lists.openstack.org
>        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>    _______________________________________________
>    OpenStack-operators mailing list
>    OpenStack-operators at lists.openstack.org
>    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list