[Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

iain MacDonnell iain.macdonnell at oracle.com
Thu Oct 18 22:25:22 UTC 2018 

I suspect that your non-admin user is not really non-admin. How did you 
create it?

What you have for "context_is_admin" in glance's policy.json ?

     ~iain


On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS 
INTEGRA, INC.] wrote:
> I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
> 
> 
> 
> Mike Moore, M.S.S.E.
>   
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>   
> Hydrogen fusion brightens my day.
>   
> 
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> 
>      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>      
>      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>      
>      Mike Moore, M.S.S.E.
>       
>      Systems Engineer, Goddard Private Cloud
>      Michael.D.Moore at nasa.gov
>       
>      Hydrogen fusion brightens my day.
>       
>      
>      On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>      
>          
>          
>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>          INTEGRA, INC.] wrote:
>          > I’m seeing unexpected behavior in our Queens environment related to
>          > Glance image visibility. Specifically users who, based on my
>          > understanding of the visibility and ownership fields, should NOT be able
>          > to see or view the image.
>          >
>          > If I create a new image with openstack image create and specify –project
>          > <tenant> and –private a non-admin user in a different tenant can see and
>          > boot that image.
>          >
>          > That seems to be the opposite of what should happen. Any ideas?
>          
>          Yep, something's not right there.
>          
>          Are you sure that the user that can see the image doesn't have the admin
>          role (for the project in its keystone token) ?
>          
>          Did you verify that the image's owner is what you intended, and that the
>          visibility really is "private" ?
>          
>               ~iain
>          
>          _______________________________________________
>          OpenStack-operators mailing list
>          OpenStack-operators at lists.openstack.org
>          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>          
>      
>      _______________________________________________
>      OpenStack-operators mailing list
>      OpenStack-operators at lists.openstack.org
>      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      
>

More information about the OpenStack-operators mailing list