[Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
iain MacDonnell
iain.macdonnell at oracle.com
Tue Oct 23 23:45:23 UTC 2018
It (still) seems like there's something funky about admin/non-admin in
your case.
You could try "openstack --debug token issue" (in the admin and
non-admin cases), and examine the token dict that gets output. Look for
the "roles" list and "is_admin_project".
~iain
On 10/23/2018 03:21 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:
> We have submitted a bug for this
>
> https://bugs.launchpad.net/glance/+bug/1799588
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_glance_-2Bbug_1799588&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=Mn2Mcb1CalyYcrdw2IZaS_mFLxT867ZjLCtchHttbP0&e=>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
>
> Michael.D.Moore at nasa.gov <mailto:Michael.D.Moore at nasa.gov>
>
> **
>
> Hydrogen fusion brightens my day.
>
> *From: *"Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>
> *Date: *Saturday, October 20, 2018 at 7:22 PM
> *To: *Logan Hicks <logan.hicks at live.com>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> *Subject: *Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> Issue 7
>
> The images exist and are bootable. I'm going to trace through the actual
> code for glance API. Any suggestions on where the show/hide logic is
> when it filters responses? I'm new to digging through OpenStack code.
>
> ------------------------------------------------------------------------
>
> *From:*Logan Hicks [logan.hicks at live.com]
> *Sent:* Friday, October 19, 2018 8:00 PM
> *To:* openstack-operators at lists.openstack.org
> *Subject:* Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> Issue 7
>
> Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants (Chris Apsey)
>
> I noticed that the image says queued. If Im not mistaken, an image cant
> have permissions applied until after the image is created, which might
> explain the issue hes seeing.
>
> The object doesnt exist until its made by openstack.
>
> Id check to see if something is holding up images being made. Id start
> with glance.
>
> Respectfully,
>
> Logan Hicks
>
> -------- Original message --------
>
> From: openstack-operators-request at lists.openstack.org
>
> Date: 10/19/18 7:49 PM (GMT-05:00)
>
> To: openstack-operators at lists.openstack.org
>
> Subject: OpenStack-operators Digest, Vol 96, Issue 7
>
> Send OpenStack-operators mailing list submissions to
> openstack-operators at lists.openstack.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
> or, via email, send a message with subject or body 'help' to
> openstack-operators-request at lists.openstack.org
>
> You can reach the person managing the list at
> openstack-operators-owner at lists.openstack.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OpenStack-operators digest..."
>
>
> Today's Topics:
>
> 1. [nova] Removing the CachingScheduler (Matt Riedemann)
> 2. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants
> (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> 3. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants (Chris Apsey)
> 4. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants (iain MacDonnell)
> 5. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants
> (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> 6. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants (iain MacDonnell)
> 7. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants (Chris Apsey)
> 8. osops-tools-monitoring Dependency problems (Tomáš Vondra)
> 9. [heat][cinder] How to create stack snapshot including volumes
> (Christian Zunker)
> 10. Fleio - OpenStack billing - ver. 1.1 released (Adrian Andreias)
> 11. Re: [Openstack-sigs] [all] Naming the T release of OpenStack
> (Tony Breeds)
> 12. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants
> (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> 13. Re: Glance Image Visibility Issue? - Non admin users can see
> private images from other tenants
> (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> 14. Re: Fleio - OpenStack billing - ver. 1.1 released (Jay Pipes)
> 15. Re: Fleio - OpenStack billing - ver. 1.1 released (Mohammed Naser)
> 16. [Octavia] SSL errors polling amphorae and missing tenant
> network interface (Erik McCormick)
> 17. Re: [Octavia] SSL errors polling amphorae and missing tenant
> network interface (Gaël THEROND)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 18 Oct 2018 17:07:00 -0500
> From: Matt Riedemann <mriedemos at gmail.com>
> To: "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: [Openstack-operators] [nova] Removing the CachingScheduler
> Message-ID: <fa0c5339-a54d-6720-ca10-7f0cff12dba1 at gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> It's been deprecated since Pike, and the time has come to remove it [1].
>
> mgagne has been the most vocal CachingScheduler operator I know and he
> has tested out the "nova-manage placement heal_allocations" CLI, added
> in Rocky, and said it will work for migrating his deployment from the
> CachingScheduler to the FilterScheduler + Placement.
>
> If you are using the CachingScheduler and have a problem with its
> removal, now is the time to speak up or forever hold your peace.
>
> [1] https://review.openstack.org/#/c/611723/1
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611723_1&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=CcuJbm96l8_bk_DdPB0xbW_A31hIN4eTR0nqDeQk4kM&e=>
>
> --
>
> Thanks,
>
> Matt
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 18 Oct 2018 22:11:40 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>
> To: iain MacDonnell <iain.macdonnell at oracle.com>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID: <EDBAEC2C-5245-4952-86C9-CDC635667C92 at nasa.gov>
> Content-Type: text/plain; charset="utf-8"
>
> I have replicated this unexpected behavior in a Pike test environment,
> in addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
>
> Yes. I verified it by creating a non-admin user in a different
> tenant. I created a new image, set to private with the project defined
> as our admin tenant.
>
> In the database I can see that the image is 'private' and the owner
> is the ID of the admin tenant.
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 1:07 AM, "iain MacDonnell"
> <iain.macdonnell at oracle.com> wrote:
>
>
>
> On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
> > I’m seeing unexpected behavior in our Queens environment
> related to
> > Glance image visibility. Specifically users who, based on my
> > understanding of the visibility and ownership fields, should
> NOT be able
> > to see or view the image.
> >
> > If I create a new image with openstack image create and
> specify –project
> > <tenant> and –private a non-admin user in a different tenant
> can see and
> > boot that image.
> >
> > That seems to be the opposite of what should happen. Any ideas?
>
> Yep, something's not right there.
>
> Are you sure that the user that can see the image doesn't have
> the admin
> role (for the project in its keystone token) ?
>
> Did you verify that the image's owner is what you intended, and
> that the
> visibility really is "private" ?
>
> ~iain
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 18 Oct 2018 18:23:35 -0400
> From: Chris Apsey <bitskrieg at bitskrieg.net>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>, iain MacDonnell
> <iain.macdonnell at oracle.com>,
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID:
> <1668946da70.278c.5f0d7f2baa7831a2bbe6450f254d9a24 at bitskrieg.net>
> Content-Type: text/plain; format=flowed; charset="UTF-8"
>
> Do you have a liberal/custom policy.json that perhaps is causing unexpected
> behavior? Can't seem to reproduce this.
>
> On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
>
>> I have replicated this unexpected behavior in a Pike test environment, in
>> addition to our Queens environment.
>>
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> Michael.D.Moore at nasa.gov
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>> INC.]" <michael.d.moore at nasa.gov> wrote:
>>
>> Yes. I verified it by creating a non-admin user in a different tenant. I
>> created a new image, set to private with the project defined as our admin
>> tenant.
>>
>> In the database I can see that the image is 'private' and the owner is the
>> ID of the admin tenant.
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> Michael.D.Moore at nasa.gov
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>>
>>
>>
>> On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>>> I’m seeing unexpected behavior in our Queens environment related to
>>> Glance image visibility. Specifically users who, based on my
>>> understanding of the visibility and ownership fields, should NOT be able
>>> to see or view the image.
>>>
>>> If I create a new image with openstack image create and specify –project
>>> <tenant> and –private a non-admin user in a different tenant can see and
>>> boot that image.
>>>
>>> That seems to be the opposite of what should happen. Any ideas?
>>
>> Yep, something's not right there.
>>
>> Are you sure that the user that can see the image doesn't have the admin
>> role (for the project in its keystone token) ?
>>
>> Did you verify that the image's owner is what you intended, and that the
>> visibility really is "private" ?
>>
>> ~iain
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 18 Oct 2018 15:25:22 -0700
> From: iain MacDonnell <iain.macdonnell at oracle.com>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID: <11e3f7a6-875e-4b6c-259a-147188a860e1 at oracle.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> I suspect that your non-admin user is not really non-admin. How did you
> create it?
>
> What you have for "context_is_admin" in glance's policy.json ?
>
> ~iain
>
>
> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>>
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> Michael.D.Moore at nasa.gov
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
>>
>> Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>>
>> In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> Michael.D.Moore at nasa.gov
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>>
>>
>>
>> On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>> > I’m seeing unexpected behavior in our Queens environment related to
>> > Glance image visibility. Specifically users who, based on my
>> > understanding of the visibility and ownership fields, should NOT be able
>> > to see or view the image.
>> >
>> > If I create a new image with openstack image create and specify –project
>> > <tenant> and –private a non-admin user in a different tenant can see and
>> > boot that image.
>> >
>> > That seems to be the opposite of what should happen. Any ideas?
>>
>> Yep, something's not right there.
>>
>> Are you sure that the user that can see the image doesn't have the admin
>> role (for the project in its keystone token) ?
>>
>> Did you verify that the image's owner is what you intended, and that the
>> visibility really is "private" ?
>>
>> ~iain
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>
>>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 18 Oct 2018 22:32:42 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>
> To: iain MacDonnell <iain.macdonnell at oracle.com>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID: <44085CC4-899C-49B2-9934-0800F6650B0B at nasa.gov>
> Content-Type: text/plain; charset="utf-8"
>
> openstack user create --domain default --password xxxxxxxx
> --project-domain ndc --project test mike
>
>
> openstack role add --user mike --user-domain default --project test user
>
> my admin account is in the NDC domain with a different username.
>
>
>
> /etc/glance/policy.json
> {
>
> "context_is_admin": "role:admin",
> "default": "role:admin",
>
> <snip>
>
>
> I'm not terribly familiar with the policies but I feel like that default
> line is making everyone an admin by default?
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>
>
> I suspect that your non-admin user is not really non-admin. How did
> you
> create it?
>
> What you have for "context_is_admin" in glance's policy.json ?
>
> ~iain
>
>
> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
> > I have replicated this unexpected behavior in a Pike test
> environment, in addition to our Queens environment.
> >
> >
> >
> > Mike Moore, M.S.S.E.
> >
> > Systems Engineer, Goddard Private Cloud
> > Michael.D.Moore at nasa.gov
> >
> > Hydrogen fusion brightens my day.
> >
> >
> > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> >
> > Yes. I verified it by creating a non-admin user in a
> different tenant. I created a new image, set to private with the project
> defined as our admin tenant.
> >
> > In the database I can see that the image is 'private' and
> the owner is the ID of the admin tenant.
> >
> > Mike Moore, M.S.S.E.
> >
> > Systems Engineer, Goddard Private Cloud
> > Michael.D.Moore at nasa.gov
> >
> > Hydrogen fusion brightens my day.
> >
> >
> > On 10/18/18, 1:07 AM, "iain MacDonnell"
> <iain.macdonnell at oracle.com> wrote:
> >
> >
> >
> > On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.] wrote:
> > > I’m seeing unexpected behavior in our Queens
> environment related to
> > > Glance image visibility. Specifically users who, based
> on my
> > > understanding of the visibility and ownership fields,
> should NOT be able
> > > to see or view the image.
> > >
> > > If I create a new image with openstack image create
> and specify –project
> > > <tenant> and –private a non-admin user in a different
> tenant can see and
> > > boot that image.
> > >
> > > That seems to be the opposite of what should happen.
> Any ideas?
> >
> > Yep, something's not right there.
> >
> > Are you sure that the user that can see the image
> doesn't have the admin
> > role (for the project in its keystone token) ?
> >
> > Did you verify that the image's owner is what you
> intended, and that the
> > visibility really is "private" ?
> >
> > ~iain
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >
> >
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 18 Oct 2018 15:48:27 -0700
> From: iain MacDonnell <iain.macdonnell at oracle.com>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID: <c8bb19c1-8dcb-7f68-db3e-199cefd5c442 at oracle.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a factor...
>
> ~iain
>
>
> $ openstack user create --password foo user1
> +---------------------+----------------------------------+
> | Field | Value |
> +---------------------+----------------------------------+
> | domain_id | default |
> | enabled | True |
> | id | d18c0031ec56430499a2d690cb1f125c |
> | name | user1 |
> | options | {} |
> | password_expires_at | None |
> +---------------------+----------------------------------+
> $ openstack user create --password foo user2
> +---------------------+----------------------------------+
> | Field | Value |
> +---------------------+----------------------------------+
> | domain_id | default |
> | enabled | True |
> | id | be9f1061a5104abd834eabe98dff055d |
> | name | user2 |
> | options | {} |
> | password_expires_at | None |
> +---------------------+----------------------------------+
> $ openstack project create project1
> +-------------+----------------------------------+
> | Field | Value |
> +-------------+----------------------------------+
> | description | |
> | domain_id | default |
> | enabled | True |
> | id | 826876d6d3724018bae6253c7f540cb3 |
> | is_domain | False |
> | name | project1 |
> | parent_id | default |
> | tags | [] |
> +-------------+----------------------------------+
> $ openstack project create project2
> +-------------+----------------------------------+
> | Field | Value |
> +-------------+----------------------------------+
> | description | |
> | domain_id | default |
> | enabled | True |
> | id | b446b93ac6e24d538c1943acbdd13cb2 |
> | is_domain | False |
> | name | project2 |
> | parent_id | default |
> | tags | [] |
> +-------------+----------------------------------+
> $ openstack role add --user user1 --project project1 _member_
> $ openstack role add --user user2 --project project2 _member_
> $ export OS_PASSWORD=foo
> $ export OS_USERNAME=user1
> $ export OS_PROJECT_NAME=project1
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID | Name | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ openstack image create --private image1
> +------------------+------------------------------------------------------------------------------+
> | Field | Value
> |
> +------------------+------------------------------------------------------------------------------+
> | checksum | None
> |
> | container_format | bare
> |
> | created_at | 2018-10-18T22:17:41Z
> |
> | disk_format | raw
> |
> | file |
> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> |
> | id | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> |
> | min_disk | 0
> |
> | min_ram | 0
> |
> | name | image1
> |
> | owner | 826876d6d3724018bae6253c7f540cb3
> |
> | properties | locations='[]', os_hash_algo='None',
> os_hash_value='None', os_hidden='False' |
> | protected | False
> |
> | schema | /v2/schemas/image
> |
> | size | None
> |
> | status | queued
> |
> | tags |
> |
> | updated_at | 2018-10-18T22:17:41Z
> |
> | virtual_size | None
> |
> | visibility | private
> |
> +------------------+------------------------------------------------------------------------------+
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID | Name | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID | Name | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=admin
> $ export OS_PROJECT_NAME=admin
> $ export OS_PASSWORD=xxx
> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ export OS_PASSWORD=foo
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID | Name | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $
>
>
> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
>>
>>
>> openstack role add --user mike --user-domain default --project test user
>>
>> my admin account is in the NDC domain with a different username.
>>
>>
>>
>> /etc/glance/policy.json
>> {
>>
>> "context_is_admin": "role:admin",
>> "default": "role:admin",
>>
>> <snip>
>>
>>
>> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> Michael.D.Moore at nasa.gov
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>>
>>
>> I suspect that your non-admin user is not really non-admin. How did you
>> create it?
>>
>> What you have for "context_is_admin" in glance's policy.json ?
>>
>> ~iain
>>
>>
>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>> > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>> >
>> >
>> >
>> > Mike Moore, M.S.S.E.
>> >
>> > Systems Engineer, Goddard Private Cloud
>> > Michael.D.Moore at nasa.gov
>> >
>> > Hydrogen fusion brightens my day.
>> >
>> >
>> > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
>> >
>> > Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>> >
>> > In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>> >
>> > Mike Moore, M.S.S.E.
>> >
>> > Systems Engineer, Goddard Private Cloud
>> > Michael.D.Moore at nasa.gov
>> >
>> > Hydrogen fusion brightens my day.
>> >
>> >
>> > On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>> >
>> >
>> >
>> > On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> > INTEGRA, INC.] wrote:
>> > > I’m seeing unexpected behavior in our Queens environment related to
>> > > Glance image visibility. Specifically users who, based on my
>> > > understanding of the visibility and ownership fields, should NOT be able
>> > > to see or view the image.
>> > >
>> > > If I create a new image with openstack image create and specify –project
>> > > <tenant> and –private a non-admin user in a different tenant can see and
>> > > boot that image.
>> > >
>> > > That seems to be the opposite of what should happen. Any ideas?
>> >
>> > Yep, something's not right there.
>> >
>> > Are you sure that the user that can see the image doesn't have the admin
>> > role (for the project in its keystone token) ?
>> >
>> > Did you verify that the image's owner is what you intended, and that the
>> > visibility really is "private" ?
>> >
>> > ~iain
>> >
>> > _______________________________________________
>> > OpenStack-operators mailing list
>> > OpenStack-operators at lists.openstack.org
>> > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>> >
>> >
>> > _______________________________________________
>> > OpenStack-operators mailing list
>> > OpenStack-operators at lists.openstack.org
>> > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>> >
>> >
>>
>>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 18 Oct 2018 19:23:42 -0400
> From: Chris Apsey <bitskrieg at bitskrieg.net>
> To: iain MacDonnell <iain.macdonnell at oracle.com>, "Moore, Michael Dane
> (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.moore at nasa.gov>,
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID:
> <166897de830.278c.5f0d7f2baa7831a2bbe6450f254d9a24 at bitskrieg.net>
> Content-Type: text/plain; format=flowed; charset="UTF-8"
>
> We are using multiple keystone domains - still can't reproduce this.
>
> Do you happen to have a customized keystone policy.json?
>
> Worst case, I would launch a devstack of your targeted release. If you
> can't reproduce the issue there, you would at least know its caused by a
> nonstandard config rather than a bug (or at least not a bug that's present
> when using a default config)
>
> On October 18, 2018 18:50:12 iain MacDonnell <iain.macdonnell at oracle.com>
> wrote:
>
>> That all looks fine.
>>
>> I believe that the "default" policy applies in place of any that's not
>> explicitly specified - i.e. "if there's no matching policy below, you
>> need to have the admin role to be able to do it". I do have that line in
>> my policy.json, and I cannot reproduce your problem (see below).
>>
>> I'm not using domains (other than "default"). I wonder if that's a factor...
>>
>> ~iain
>>
>>
>> $ openstack user create --password foo user1
>> +---------------------+----------------------------------+
>> | Field | Value |
>> +---------------------+----------------------------------+
>> | domain_id | default |
>> | enabled | True |
>> | id | d18c0031ec56430499a2d690cb1f125c |
>> | name | user1 |
>> | options | {} |
>> | password_expires_at | None |
>> +---------------------+----------------------------------+
>> $ openstack user create --password foo user2
>> +---------------------+----------------------------------+
>> | Field | Value |
>> +---------------------+----------------------------------+
>> | domain_id | default |
>> | enabled | True |
>> | id | be9f1061a5104abd834eabe98dff055d |
>> | name | user2 |
>> | options | {} |
>> | password_expires_at | None |
>> +---------------------+----------------------------------+
>> $ openstack project create project1
>> +-------------+----------------------------------+
>> | Field | Value |
>> +-------------+----------------------------------+
>> | description | |
>> | domain_id | default |
>> | enabled | True |
>> | id | 826876d6d3724018bae6253c7f540cb3 |
>> | is_domain | False |
>> | name | project1 |
>> | parent_id | default |
>> | tags | [] |
>> +-------------+----------------------------------+
>> $ openstack project create project2
>> +-------------+----------------------------------+
>> | Field | Value |
>> +-------------+----------------------------------+
>> | description | |
>> | domain_id | default |
>> | enabled | True |
>> | id | b446b93ac6e24d538c1943acbdd13cb2 |
>> | is_domain | False |
>> | name | project2 |
>> | parent_id | default |
>> | tags | [] |
>> +-------------+----------------------------------+
>> $ openstack role add --user user1 --project project1 _member_
>> $ openstack role add --user user2 --project project2 _member_
>> $ export OS_PASSWORD=foo
>> $ export OS_USERNAME=user1
>> $ export OS_PROJECT_NAME=project1
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID | Name | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> +--------------------------------------+--------+--------+
>> $ openstack image create --private image1
>> +------------------+------------------------------------------------------------------------------+
>> | Field | Value
>> |
>> +------------------+------------------------------------------------------------------------------+
>> | checksum | None
>> |
>> | container_format | bare
>> |
>> | created_at | 2018-10-18T22:17:41Z
>> |
>> | disk_format | raw
>> |
>> | file |
>> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>> |
>> | id | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>> |
>> | min_disk | 0
>> |
>> | min_ram | 0
>> |
>> | name | image1
>> |
>> | owner | 826876d6d3724018bae6253c7f540cb3
>> |
>> | properties | locations='[]', os_hash_algo='None',
>> os_hash_value='None', os_hidden='False' |
>> | protected | False
>> |
>> | schema | /v2/schemas/image
>> |
>> | size | None
>> |
>> | status | queued
>> |
>> | tags |
>> |
>> | updated_at | 2018-10-18T22:17:41Z
>> |
>> | virtual_size | None
>> |
>> | visibility | private
>> |
>> +------------------+------------------------------------------------------------------------------+
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID | Name | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>> +--------------------------------------+--------+--------+
>> $ export OS_USERNAME=user2
>> $ export OS_PROJECT_NAME=project2
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID | Name | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> +--------------------------------------+--------+--------+
>> $ export OS_USERNAME=admin
>> $ export OS_PROJECT_NAME=admin
>> $ export OS_PASSWORD=xxx
>> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>> $ export OS_USERNAME=user2
>> $ export OS_PROJECT_NAME=project2
>> $ export OS_PASSWORD=foo
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID | Name | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>> +--------------------------------------+--------+--------+
>> $
>>
>>
>> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>>> openstack user create --domain default --password xxxxxxxx --project-domain
>>> ndc --project test mike
>>>
>>>
>>> openstack role add --user mike --user-domain default --project test user
>>>
>>> my admin account is in the NDC domain with a different username.
>>>
>>>
>>>
>>> /etc/glance/policy.json
>>> {
>>>
>>> "context_is_admin": "role:admin",
>>> "default": "role:admin",
>>>
>>> <snip>
>>>
>>>
>>> I'm not terribly familiar with the policies but I feel like that default
>>> line is making everyone an admin by default?
>>>
>>>
>>> Mike Moore, M.S.S.E.
>>>
>>> Systems Engineer, Goddard Private Cloud
>>> Michael.D.Moore at nasa.gov
>>>
>>> Hydrogen fusion brightens my day.
>>>
>>>
>>> On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>>>
>>>
>>> I suspect that your non-admin user is not really non-admin. How did you
>>> create it?
>>>
>>> What you have for "context_is_admin" in glance's policy.json ?
>>>
>>> ~iain
>>>
>>>
>>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>> INTEGRA, INC.] wrote:
>>>> I have replicated this unexpected behavior in a Pike test environment, in
>>>> addition to our Queens environment.
>>>>
>>>>
>>>>
>>>> Mike Moore, M.S.S.E.
>>>>
>>>> Systems Engineer, Goddard Private Cloud
>>>> Michael.D.Moore at nasa.gov
>>>>
>>>> Hydrogen fusion brightens my day.
>>>>
>>>>
>>>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>>>> INC.]" <michael.d.moore at nasa.gov> wrote:
>>>>
>>>> Yes. I verified it by creating a non-admin user in a different tenant. I
>>>> created a new image, set to private with the project defined as our admin
>>>> tenant.
>>>>
>>>> In the database I can see that the image is 'private' and the owner is the
>>>> ID of the admin tenant.
>>>>
>>>> Mike Moore, M.S.S.E.
>>>>
>>>> Systems Engineer, Goddard Private Cloud
>>>> Michael.D.Moore at nasa.gov
>>>>
>>>> Hydrogen fusion brightens my day.
>>>>
>>>>
>>>> On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com> wrote:
>>>>
>>>>
>>>>
>>>> On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>>> INTEGRA, INC.] wrote:
>>>> > I’m seeing unexpected behavior in our Queens environment related to
>>>> > Glance image visibility. Specifically users who, based on my
>>>> > understanding of the visibility and ownership fields, should NOT be able
>>>> > to see or view the image.
>>>> >
>>>> > If I create a new image with openstack image create and specify –project
>>>> > <tenant> and –private a non-admin user in a different tenant can see and
>>>> > boot that image.
>>>> >
>>>> > That seems to be the opposite of what should happen. Any ideas?
>>>>
>>>> Yep, something's not right there.
>>>>
>>>> Are you sure that the user that can see the image doesn't have the admin
>>>> role (for the project in its keystone token) ?
>>>>
>>>> Did you verify that the image's owner is what you intended, and that the
>>>> visibility really is "private" ?
>>>>
>>>> ~iain
>>>>
>>>> _______________________________________________
>>>> OpenStack-operators mailing list
>>>> OpenStack-operators at lists.openstack.org
>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-operators mailing list
>>>> OpenStack-operators at lists.openstack.org
>>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 19 Oct 2018 10:58:30 +0200
> From: Tomáš Vondra <vondra at homeatcloud.cz>
> To: <OpenStack-operators at lists.openstack.org>
> Subject: [Openstack-operators] osops-tools-monitoring Dependency
> problems
> Message-ID: <049e01d46789$e8bf5220$ba3df660$@homeatcloud.cz>
> Content-Type: text/plain; charset="iso-8859-2"
>
> Hi!
> I'm a long time user of monitoring-for-openstack, also known as oschecks.
> Concretely, I used a version from 2015 with OpenStack python client
> libraries from Kilo. Now I have upgraded them to Mitaka and it got broken.
> Even the latest oschecks don't work. I didn't quite expect that, given that
> there are several commits from this year e.g. by Nagasai Vinaykumar
> Kapalavai and paramite. Can one of them or some other user step up and say
> what version of OpenStack clients is oschecks working with? Ideally, write
> it down in requirements.txt so that it will be reproducible? Also, some
> documentation of what is the minimal set of parameters would also come in
> handy.
> Thanks a lot, Tomas from Homeatcloud
>
> The error messages are as absurd as:
> oschecks-check_glance_api --os_auth_url='http://10.1.101.30:5000/v2.0
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.1.101.30-3A5000_v2.0&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=_OahSWkou5-POtvp2P_0PQEAtRXnl_2ry82DIo_ygQ4&e=>'
> --os_username=monitoring --os_password=XXX --os_tenant_name=monitoring
>
> CRITICAL: Traceback (most recent call last):
> File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 121, in
> safe_run
> method()
> File "/usr/lib/python2.7/dist-packages/oschecks/glance.py", line 29, in
> _check_glance_api
> glance = utils.Glance()
> File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 177, in
> __init__
> self.glance.parser = self.glance.get_base_parser(sys.argv)
> TypeError: get_base_parser() takes exactly 1 argument (2 given)
>
> (I can see 4 parameters on the command line.)
>
>
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 19 Oct 2018 11:21:25 +0200
> From: Christian Zunker <christian.zunker at codecentric.cloud>
> To: openstack-operators <openstack-operators at lists.openstack.org>
> Subject: [Openstack-operators] [heat][cinder] How to create stack
> snapshot including volumes
> Message-ID:
>
> <CAHS=D_ZGow+hSPuiicq6z0UrRCb3DxC4hf425uY7+5+Rt+-z5w at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi List,
>
> I'd like to take snapshots of heat stacks including the volumes.
>>From what I found until now, this should be possible. You just have to
> configure some parts of OpenStack.
>
> I enabled cinder-backup with ceph backend. Backups from volumes are working.
> I configured heat to include the option backups_enabled = True.
>
> When I use openstack stack snapshot create, I get a snapshot but no backups
> of my volumes. I don't get any error messages in heat. Debug logging didn't
> help either.
>
> OpenStack version is Pike on Ubuntu installed with openstack-ansible.
> heat version is 9.0.3. So this should also include this bugfix:
> https://bugs.launchpad.net/heat/+bug/1687006
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_heat_-2Bbug_1687006&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=GveynPsCtRgNf5xllOIdz2Y5eNCZAvn4B9xEtzLDi1A&e=>
>
> Is anybody using this feature? What am I missing?
>
> Best regards
> Christian
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/bb7dd81b/attachment-0001.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_bb7dd81b_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=YCjjLeySrbifzs2-92NmaHNUG4DFb6Ps4CpFzjdo0ts&e=>>
>
> ------------------------------
>
> Message: 10
> Date: Fri, 19 Oct 2018 12:42:00 +0300
> From: Adrian Andreias <adrian at fleio.com>
> To: openstack-operators at lists.openstack.org
> Subject: [Openstack-operators] Fleio - OpenStack billing - ver. 1.1
> released
> Message-ID:
>
> <CACp-FE3gEP=nwXRtwy-H13qXrnhPa5bn0uWiukxWp=YTU-4e8A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> We've just released Fleio version 1.1.
>
> Fleio is a billing solution and control panel for OpenStack public clouds
> and traditional web hosters.
>
> Fleio software automates the entire process for cloud users. New customers
> can use Fleio to sign up for an account, pay invoices, add credit to their
> account, as well as create and manage cloud resources such as virtual
> machines, storage and networking.
>
> Full feature list:
> https://fleio.com#features
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
>
> You can see an online demo:
> https://fleio.com/demo
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
>
> And sign-up for a free trial:
> https://fleio.com/signup
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
>
>
>
> Cheers!
>
> - Adrian Andreias
> https://fleio.com
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/3031e47f/attachment-0001.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_3031e47f_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=JCagcM_ZjfKNMy6hUc9mScnVifU3IZVyccED28OEhpA&e=>>
>
> ------------------------------
>
> Message: 11
> Date: Fri, 19 Oct 2018 20:54:29 +1100
> From: Tony Breeds <tony at bakeyournoodle.com>
> To: OpenStack Development <openstack-dev at lists.openstack.org>,
> OpenStack SIGs <openstack-sigs at lists.openstack.org>, OpenStack
> Operators <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] [Openstack-sigs] [all] Naming the T
> release of OpenStack
> Message-ID: <20181019095428.GA9399 at thor.bakeyournoodle.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Thu, Oct 18, 2018 at 05:35:39PM +1100, Tony Breeds wrote:
>> Hello all,
>> As per [1] the nomination period for names for the T release have
>> now closed (actually 3 days ago sorry). The nominated names and any
>> qualifying remarks can be seen at2].
>>
>> Proposed Names
>> * Tarryall
>> * Teakettle
>> * Teller
>> * Telluride
>> * Thomas
>> * Thornton
>> * Tiger
>> * Tincup
>> * Timnath
>> * Timber
>> * Tiny Town
>> * Torreys
>> * Trail
>> * Trinidad
>> * Treasure
>> * Troublesome
>> * Trussville
>> * Turret
>> * Tyrone
>>
>> Proposed Names that do not meet the criteria
>> * Train
>
> I have re-worked my openstack/governance change[1] to ask the TC to accept
> adding Train to the poll as (partially) described in [2].
>
> I present the names above to the community and Foundation marketing team
> for consideration. The list above does contain Train, clearly if the TC
> do not approve [1] Train will not be included in the poll when created.
>
> I apologise for any offence or slight caused by my previous email in
> this thread. It was well intentioned albeit, with hindsight, poorly
> thought through.
>
> Yours Tony.
>
> [1] https://review.openstack.org/#/c/611511/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611511_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=cRWATGRCwFhRInCOOTmTaFGPvMXWXznOs1-pnONNMvA&e=>
> [2]
> https://governance.openstack.org/tc/reference/release-naming.html#release-name-criteria
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__governance.openstack.org_tc_reference_release-2Dnaming.html-23release-2Dname-2Dcriteria&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=ORBvxW9YNjEKlSx6vbG0BIAOLa6sDtdIw1oWC8aGyvA&e=>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 488 bytes
> Desc: not available
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/49c95d5d/attachment-0001.sig
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_49c95d5d_attachment-2D0001.sig&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=jMzO0p4dD0TpgnxO_HTziQRuWfGZJz4W1oPgADf0iw0&e=>>
>
> ------------------------------
>
> Message: 12
> Date: Fri, 19 Oct 2018 16:33:17 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>
> To: Chris Apsey <bitskrieg at bitskrieg.net>, iain MacDonnell
> <iain.macdonnell at oracle.com>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID: <4704898B-D193-4540-B106-BF38ACAB68E2 at nasa.gov>
> Content-Type: text/plain; charset="utf-8"
>
> Our NDC domain is LDAP backed. Default is not.
>
> Our keystone policy.json file is empty {}
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 7:24 PM, "Chris Apsey" <bitskrieg at bitskrieg.net> wrote:
>
> We are using multiple keystone domains - still can't reproduce this.
>
> Do you happen to have a customized keystone policy.json?
>
> Worst case, I would launch a devstack of your targeted release. If
> you
> can't reproduce the issue there, you would at least know its caused
> by a
> nonstandard config rather than a bug (or at least not a bug that's
> present
> when using a default config)
>
> On October 18, 2018 18:50:12 iain MacDonnell
> <iain.macdonnell at oracle.com>
> wrote:
>
> > That all looks fine.
> >
> > I believe that the "default" policy applies in place of any
> that's not
> > explicitly specified - i.e. "if there's no matching policy below, you
> > need to have the admin role to be able to do it". I do have that
> line in
> > my policy.json, and I cannot reproduce your problem (see below).
> >
> > I'm not using domains (other than "default"). I wonder if that's
> a factor...
> >
> > ~iain
> >
> >
> > $ openstack user create --password foo user1
> > +---------------------+----------------------------------+
> > | Field | Value |
> > +---------------------+----------------------------------+
> > | domain_id | default |
> > | enabled | True |
> > | id | d18c0031ec56430499a2d690cb1f125c |
> > | name | user1 |
> > | options | {} |
> > | password_expires_at | None |
> > +---------------------+----------------------------------+
> > $ openstack user create --password foo user2
> > +---------------------+----------------------------------+
> > | Field | Value |
> > +---------------------+----------------------------------+
> > | domain_id | default |
> > | enabled | True |
> > | id | be9f1061a5104abd834eabe98dff055d |
> > | name | user2 |
> > | options | {} |
> > | password_expires_at | None |
> > +---------------------+----------------------------------+
> > $ openstack project create project1
> > +-------------+----------------------------------+
> > | Field | Value |
> > +-------------+----------------------------------+
> > | description | |
> > | domain_id | default |
> > | enabled | True |
> > | id | 826876d6d3724018bae6253c7f540cb3 |
> > | is_domain | False |
> > | name | project1 |
> > | parent_id | default |
> > | tags | [] |
> > +-------------+----------------------------------+
> > $ openstack project create project2
> > +-------------+----------------------------------+
> > | Field | Value |
> > +-------------+----------------------------------+
> > | description | |
> > | domain_id | default |
> > | enabled | True |
> > | id | b446b93ac6e24d538c1943acbdd13cb2 |
> > | is_domain | False |
> > | name | project2 |
> > | parent_id | default |
> > | tags | [] |
> > +-------------+----------------------------------+
> > $ openstack role add --user user1 --project project1 _member_
> > $ openstack role add --user user2 --project project2 _member_
> > $ export OS_PASSWORD=foo
> > $ export OS_USERNAME=user1
> > $ export OS_PROJECT_NAME=project1
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > +--------------------------------------+--------+--------+
> > $ openstack image create --private image1
> >
> +------------------+------------------------------------------------------------------------------+
> > | Field | Value
> > |
> >
> +------------------+------------------------------------------------------------------------------+
> > | checksum | None
> > |
> > | container_format | bare
> > |
> > | created_at | 2018-10-18T22:17:41Z
> > |
> > | disk_format | raw
> > |
> > | file |
> > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> > |
> > | id | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> > |
> > | min_disk | 0
> > |
> > | min_ram | 0
> > |
> > | name | image1
> > |
> > | owner | 826876d6d3724018bae6253c7f540cb3
> > |
> > | properties | locations='[]', os_hash_algo='None',
> > os_hash_value='None', os_hidden='False' |
> > | protected | False
> > |
> > | schema | /v2/schemas/image
> > |
> > | size | None
> > |
> > | status | queued
> > |
> > | tags |
> > |
> > | updated_at | 2018-10-18T22:17:41Z
> > |
> > | virtual_size | None
> > |
> > | visibility | private
> > |
> >
> +------------------+------------------------------------------------------------------------------+
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> > +--------------------------------------+--------+--------+
> > $ export OS_USERNAME=user2
> > $ export OS_PROJECT_NAME=project2
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > +--------------------------------------+--------+--------+
> > $ export OS_USERNAME=admin
> > $ export OS_PROJECT_NAME=admin
> > $ export OS_PASSWORD=xxx
> > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> > $ export OS_USERNAME=user2
> > $ export OS_PROJECT_NAME=project2
> > $ export OS_PASSWORD=foo
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> > +--------------------------------------+--------+--------+
> > $
> >
> >
> > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.] wrote:
> >> openstack user create --domain default --password xxxxxxxx
> --project-domain
> >> ndc --project test mike
> >>
> >>
> >> openstack role add --user mike --user-domain default --project
> test user
> >>
> >> my admin account is in the NDC domain with a different username.
> >>
> >>
> >>
> >> /etc/glance/policy.json
> >> {
> >>
> >> "context_is_admin": "role:admin",
> >> "default": "role:admin",
> >>
> >> <snip>
> >>
> >>
> >> I'm not terribly familiar with the policies but I feel like that
> default
> >> line is making everyone an admin by default?
> >>
> >>
> >> Mike Moore, M.S.S.E.
> >>
> >> Systems Engineer, Goddard Private Cloud
> >> Michael.D.Moore at nasa.gov
> >>
> >> Hydrogen fusion brightens my day.
> >>
> >>
> >> On 10/18/18, 6:25 PM, "iain MacDonnell"
> <iain.macdonnell at oracle.com> wrote:
> >>
> >>
> >> I suspect that your non-admin user is not really non-admin. How
> did you
> >> create it?
> >>
> >> What you have for "context_is_admin" in glance's policy.json ?
> >>
> >> ~iain
> >>
> >>
> >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >> INTEGRA, INC.] wrote:
> >>> I have replicated this unexpected behavior in a Pike test
> environment, in
> >>> addition to our Queens environment.
> >>>
> >>>
> >>>
> >>> Mike Moore, M.S.S.E.
> >>>
> >>> Systems Engineer, Goddard Private Cloud
> >>> Michael.D.Moore at nasa.gov
> >>>
> >>> Hydrogen fusion brightens my day.
> >>>
> >>>
> >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
> (GSFC-720.0)[BUSINESS INTEGRA,
> >>> INC.]" <michael.d.moore at nasa.gov> wrote:
> >>>
> >>> Yes. I verified it by creating a non-admin user in a
> different tenant. I
> >>> created a new image, set to private with the project defined
> as our admin
> >>> tenant.
> >>>
> >>> In the database I can see that the image is 'private' and
> the owner is the
> >>> ID of the admin tenant.
> >>>
> >>> Mike Moore, M.S.S.E.
> >>>
> >>> Systems Engineer, Goddard Private Cloud
> >>> Michael.D.Moore at nasa.gov
> >>>
> >>> Hydrogen fusion brightens my day.
> >>>
> >>>
> >>> On 10/18/18, 1:07 AM, "iain MacDonnell"
> <iain.macdonnell at oracle.com> wrote:
> >>>
> >>>
> >>>
> >>> On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >>> INTEGRA, INC.] wrote:
> >>> > I’m seeing unexpected behavior in our Queens
> environment related to
> >>> > Glance image visibility. Specifically users who, based
> on my
> >>> > understanding of the visibility and ownership fields,
> should NOT be able
> >>> > to see or view the image.
> >>> >
> >>> > If I create a new image with openstack image create
> and specify –project
> >>> > <tenant> and –private a non-admin user in a different
> tenant can see and
> >>> > boot that image.
> >>> >
> >>> > That seems to be the opposite of what should happen.
> Any ideas?
> >>>
> >>> Yep, something's not right there.
> >>>
> >>> Are you sure that the user that can see the image
> doesn't have the admin
> >>> role (for the project in its keystone token) ?
> >>>
> >>> Did you verify that the image's owner is what you
> intended, and that the
> >>> visibility really is "private" ?
> >>>
> >>> ~iain
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>>
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 13
> Date: Fri, 19 Oct 2018 16:54:12 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <michael.d.moore at nasa.gov>
> To: Chris Apsey <bitskrieg at bitskrieg.net>, iain MacDonnell
> <iain.macdonnell at oracle.com>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> Non admin users can see private images from other tenants
> Message-ID: <A5FD0CCA-8B13-424D-A8F2-E6ACECF58C23 at nasa.gov>
> Content-Type: text/plain; charset="utf-8"
>
>
> For reference, here is our full glance policy.json
>
>
> {
> "context_is_admin": "role:admin",
> "default": "role:admin",
>
> "add_image": "",
> "delete_image": "",
> "get_image": "",
> "get_images": "",
> "modify_image": "",
> "publicize_image": "role:admin",
> "communitize_image": "",
> "copy_from": "",
>
> "download_image": "",
> "upload_image": "",
>
> "delete_image_location": "",
> "get_image_location": "",
> "set_image_location": "",
>
> "add_member": "",
> "delete_member": "",
> "get_member": "",
> "get_members": "",
> "modify_member": "",
>
> "manage_image_cache": "role:admin",
>
> "get_task": "",
> "get_tasks": "",
> "add_task": "",
> "modify_task": "",
> "tasks_api_access": "role:admin",
>
> "deactivate": "",
> "reactivate": "",
>
> "get_metadef_namespace": "",
> "get_metadef_namespaces":"",
> "modify_metadef_namespace":"",
> "add_metadef_namespace":"",
>
> "get_metadef_object":"",
> "get_metadef_objects":"",
> "modify_metadef_object":"",
> "add_metadef_object":"",
>
> "list_metadef_resource_types":"",
> "get_metadef_resource_type":"",
> "add_metadef_resource_type_association":"",
>
> "get_metadef_property":"",
> "get_metadef_properties":"",
> "modify_metadef_property":"",
> "add_metadef_property":"",
>
> "get_metadef_tag":"",
> "get_metadef_tags":"",
> "modify_metadef_tag":"",
> "add_metadef_tag":"",
> "add_metadef_tags":""
>
> }
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
>
> Our NDC domain is LDAP backed. Default is not.
>
> Our keystone policy.json file is empty {}
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> Michael.D.Moore at nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 7:24 PM, "Chris Apsey" <bitskrieg at bitskrieg.net> wrote:
>
> We are using multiple keystone domains - still can't reproduce
> this.
>
> Do you happen to have a customized keystone policy.json?
>
> Worst case, I would launch a devstack of your targeted
> release. If you
> can't reproduce the issue there, you would at least know its
> caused by a
> nonstandard config rather than a bug (or at least not a bug
> that's present
> when using a default config)
>
> On October 18, 2018 18:50:12 iain MacDonnell
> <iain.macdonnell at oracle.com>
> wrote:
>
> > That all looks fine.
> >
> > I believe that the "default" policy applies in place of any
> that's not
> > explicitly specified - i.e. "if there's no matching policy
> below, you
> > need to have the admin role to be able to do it". I do have
> that line in
> > my policy.json, and I cannot reproduce your problem (see below).
> >
> > I'm not using domains (other than "default"). I wonder if
> that's a factor...
> >
> > ~iain
> >
> >
> > $ openstack user create --password foo user1
> > +---------------------+----------------------------------+
> > | Field | Value |
> > +---------------------+----------------------------------+
> > | domain_id | default |
> > | enabled | True |
> > | id | d18c0031ec56430499a2d690cb1f125c |
> > | name | user1 |
> > | options | {} |
> > | password_expires_at | None |
> > +---------------------+----------------------------------+
> > $ openstack user create --password foo user2
> > +---------------------+----------------------------------+
> > | Field | Value |
> > +---------------------+----------------------------------+
> > | domain_id | default |
> > | enabled | True |
> > | id | be9f1061a5104abd834eabe98dff055d |
> > | name | user2 |
> > | options | {} |
> > | password_expires_at | None |
> > +---------------------+----------------------------------+
> > $ openstack project create project1
> > +-------------+----------------------------------+
> > | Field | Value |
> > +-------------+----------------------------------+
> > | description | |
> > | domain_id | default |
> > | enabled | True |
> > | id | 826876d6d3724018bae6253c7f540cb3 |
> > | is_domain | False |
> > | name | project1 |
> > | parent_id | default |
> > | tags | [] |
> > +-------------+----------------------------------+
> > $ openstack project create project2
> > +-------------+----------------------------------+
> > | Field | Value |
> > +-------------+----------------------------------+
> > | description | |
> > | domain_id | default |
> > | enabled | True |
> > | id | b446b93ac6e24d538c1943acbdd13cb2 |
> > | is_domain | False |
> > | name | project2 |
> > | parent_id | default |
> > | tags | [] |
> > +-------------+----------------------------------+
> > $ openstack role add --user user1 --project project1 _member_
> > $ openstack role add --user user2 --project project2 _member_
> > $ export OS_PASSWORD=foo
> > $ export OS_USERNAME=user1
> > $ export OS_PROJECT_NAME=project1
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > +--------------------------------------+--------+--------+
> > $ openstack image create --private image1
> >
> +------------------+------------------------------------------------------------------------------+
> > | Field | Value
> > |
> >
> +------------------+------------------------------------------------------------------------------+
> > | checksum | None
> > |
> > | container_format | bare
> > |
> > | created_at | 2018-10-18T22:17:41Z
> > |
> > | disk_format | raw
> > |
> > | file |
> > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> > |
> > | id | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> > |
> > | min_disk | 0
> > |
> > | min_ram | 0
> > |
> > | name | image1
> > |
> > | owner | 826876d6d3724018bae6253c7f540cb3
> > |
> > | properties | locations='[]', os_hash_algo='None',
> > os_hash_value='None', os_hidden='False' |
> > | protected | False
> > |
> > | schema | /v2/schemas/image
> > |
> > | size | None
> > |
> > | status | queued
> > |
> > | tags |
> > |
> > | updated_at | 2018-10-18T22:17:41Z
> > |
> > | virtual_size | None
> > |
> > | visibility | private
> > |
> >
> +------------------+------------------------------------------------------------------------------+
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> > +--------------------------------------+--------+--------+
> > $ export OS_USERNAME=user2
> > $ export OS_PROJECT_NAME=project2
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > +--------------------------------------+--------+--------+
> > $ export OS_USERNAME=admin
> > $ export OS_PROJECT_NAME=admin
> > $ export OS_PASSWORD=xxx
> > $ openstack image set --public
> 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> > $ export OS_USERNAME=user2
> > $ export OS_PROJECT_NAME=project2
> > $ export OS_PASSWORD=foo
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID | Name | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> > +--------------------------------------+--------+--------+
> > $
> >
> >
> > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.] wrote:
> >> openstack user create --domain default --password xxxxxxxx
> --project-domain
> >> ndc --project test mike
> >>
> >>
> >> openstack role add --user mike --user-domain default
> --project test user
> >>
> >> my admin account is in the NDC domain with a different username.
> >>
> >>
> >>
> >> /etc/glance/policy.json
> >> {
> >>
> >> "context_is_admin": "role:admin",
> >> "default": "role:admin",
> >>
> >> <snip>
> >>
> >>
> >> I'm not terribly familiar with the policies but I feel like
> that default
> >> line is making everyone an admin by default?
> >>
> >>
> >> Mike Moore, M.S.S.E.
> >>
> >> Systems Engineer, Goddard Private Cloud
> >> Michael.D.Moore at nasa.gov
> >>
> >> Hydrogen fusion brightens my day.
> >>
> >>
> >> On 10/18/18, 6:25 PM, "iain MacDonnell"
> <iain.macdonnell at oracle.com> wrote:
> >>
> >>
> >> I suspect that your non-admin user is not really non-admin.
> How did you
> >> create it?
> >>
> >> What you have for "context_is_admin" in glance's policy.json ?
> >>
> >> ~iain
> >>
> >>
> >> On 10/18/2018 03:11 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >> INTEGRA, INC.] wrote:
> >>> I have replicated this unexpected behavior in a Pike test
> environment, in
> >>> addition to our Queens environment.
> >>>
> >>>
> >>>
> >>> Mike Moore, M.S.S.E.
> >>>
> >>> Systems Engineer, Goddard Private Cloud
> >>> Michael.D.Moore at nasa.gov
> >>>
> >>> Hydrogen fusion brightens my day.
> >>>
> >>>
> >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
> (GSFC-720.0)[BUSINESS INTEGRA,
> >>> INC.]" <michael.d.moore at nasa.gov> wrote:
> >>>
> >>> Yes. I verified it by creating a non-admin user in a
> different tenant. I
> >>> created a new image, set to private with the project
> defined as our admin
> >>> tenant.
> >>>
> >>> In the database I can see that the image is 'private'
> and the owner is the
> >>> ID of the admin tenant.
> >>>
> >>> Mike Moore, M.S.S.E.
> >>>
> >>> Systems Engineer, Goddard Private Cloud
> >>> Michael.D.Moore at nasa.gov
> >>>
> >>> Hydrogen fusion brightens my day.
> >>>
> >>>
> >>> On 10/18/18, 1:07 AM, "iain MacDonnell"
> <iain.macdonnell at oracle.com> wrote:
> >>>
> >>>
> >>>
> >>> On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >>> INTEGRA, INC.] wrote:
> >>> > I’m seeing unexpected behavior in our Queens
> environment related to
> >>> > Glance image visibility. Specifically users who,
> based on my
> >>> > understanding of the visibility and ownership
> fields, should NOT be able
> >>> > to see or view the image.
> >>> >
> >>> > If I create a new image with openstack image
> create and specify –project
> >>> > <tenant> and –private a non-admin user in a
> different tenant can see and
> >>> > boot that image.
> >>> >
> >>> > That seems to be the opposite of what should
> happen. Any ideas?
> >>>
> >>> Yep, something's not right there.
> >>>
> >>> Are you sure that the user that can see the image
> doesn't have the admin
> >>> role (for the project in its keystone token) ?
> >>>
> >>> Did you verify that the image's owner is what you
> intended, and that the
> >>> visibility really is "private" ?
> >>>
> >>> ~iain
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>>
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
> ------------------------------
>
> Message: 14
> Date: Fri, 19 Oct 2018 13:45:03 -0400
> From: Jay Pipes <jaypipes at gmail.com>
> To: openstack-operators at lists.openstack.org
> Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
> 1.1 released
> Message-ID: <b3f680a3-71ef-5c55-6dea-d71c9d973640 at gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Please do not use these mailing lists to advertise
> closed-source/proprietary software solutions.
>
> Thank you,
> -jay
>
> On 10/19/2018 05:42 AM, Adrian Andreias wrote:
>> Hello,
>>
>> We've just released Fleio version 1.1.
>>
>> Fleio is a billing solution and control panel for OpenStack public
>> clouds and traditional web hosters.
>>
>> Fleio software automates the entire process for cloud users. New
>> customers can use Fleio to sign up for an account, pay invoices, add
>> credit to their account, as well as create and manage cloud resources
>> such as virtual machines, storage and networking.
>>
>> Full feature list:
>> https://fleio.com#features
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
>>
>> You can see an online demo:
>> https://fleio.com/demo
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
>>
>> And sign-up for a free trial:
>> https://fleio.com/signup
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
>>
>>
>>
>> Cheers!
>>
>> - Adrian Andreias
>> https://fleio.com
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
>>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>
>
>
> ------------------------------
>
> Message: 15
> Date: Fri, 19 Oct 2018 20:13:40 +0200
> From: Mohammed Naser <mnaser at vexxhost.com>
> To: jaypipes at gmail.com
> Cc: openstack-operators <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
> 1.1 released
> Message-ID:
>
> <CAEs876gDHPFjgxnD+HHKyP782u2XX0attJq9dYiYFDibc6DTZQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Fri, Oct 19, 2018 at 7:45 PM Jay Pipes <jaypipes at gmail.com> wrote:
>>
>> Please do not use these mailing lists to advertise
>> closed-source/proprietary software solutions.
>
> +1
>
>> Thank you,
>> -jay
>>
>> On 10/19/2018 05:42 AM, Adrian Andreias wrote:
>> > Hello,
>> >
>> > We've just released Fleio version 1.1.
>> >
>> > Fleio is a billing solution and control panel for OpenStack public
>> > clouds and traditional web hosters.
>> >
>> > Fleio software automates the entire process for cloud users. New
>> > customers can use Fleio to sign up for an account, pay invoices, add
>> > credit to their account, as well as create and manage cloud resources
>> > such as virtual machines, storage and networking.
>> >
>> > Full feature list:
>> > https://fleio.com#features
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
>> >
>> > You can see an online demo:
>> > https://fleio.com/demo
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
>> >
>> > And sign-up for a free trial:
>> > https://fleio.com/signup
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
>> >
>> >
>> >
>> > Cheers!
>> >
>> > - Adrian Andreias
>> > https://fleio.com
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
>> >
>> >
>> >
>> > _______________________________________________
>> > OpenStack-operators mailing list
>> > OpenStack-operators at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>> >
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
> --
> Mohammed Naser — vexxhost
> -----------------------------------------------------
> D. 514-316-8872
> D. 800-910-1726 ext. 200
> E. mnaser at vexxhost.com
> W. http://vexxhost.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__vexxhost.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=bq9EPen7RattOa34V0HaOLcBDca21nN47DlkgOKUYMM&e=>
>
>
>
> ------------------------------
>
> Message: 16
> Date: Fri, 19 Oct 2018 14:39:29 -0400
> From: Erik McCormick <emccormick at cirrusseven.com>
> To: openstack-operators <openstack-operators at lists.openstack.org>
> Subject: [Openstack-operators] [Octavia] SSL errors polling amphorae
> and missing tenant network interface
> Message-ID:
>
> <CAHUi5cNByYFRr4vHY9iAEhAFc=MhdjhBWHNArCQG0D-w-Z2gFg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> I've been wrestling with getting Octavia up and running and have
> become stuck on two issues. I'm hoping someone has run into these
> before. My google foo has come up empty.
>
> Issue 1:
> When the Octavia controller tries to poll the amphora instance, it
> tries repeatedly and eventually fails. The error on the controller
> side is:
>
> 2018-10-19 14:17:39.181 26 ERROR
> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
> retries (currently set to 300) exhausted. The amphora is unavailable.
> Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
> exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
> SSLError(SSLError("bad handshake: Error([('rsa routines',
> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> 'tls_process_server_certificate', 'certificate verify
> failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
> port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
> (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> 'tls_process_server_certificate', 'certificate verify
> failed')],)",),))
>
> On the amphora side I see:
> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
> ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
> failure (_ssl.c:1754)
>
> I've generated certificates both with the script in the Octavia git
> repo, and with the Openstack Ansible playbook. I can see that they are
> present in /etc/octavia/certs.
>
> I'm using the Kolla (Queens) containers for the control plane so I'm
> sure I've satisfied all the python library constraints.
>
> Issue 2:
> I"m not sure how it gets configured, but the tenant network interface
> (ens6) never comes up. I can spawn other instances on that network
> with no issue, and I can see that Neutron has the port attached to the
> instance. However, in the instance this is all I get:
>
> ubuntu at amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
> inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
> valid_lft forever preferred_lft forever
> inet6 fe80::f816:3eff:fe30:c460/64 scope link
> valid_lft forever preferred_lft forever
> 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
> link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
>
> There's no evidence of the interface anywhere else including udev rules.
>
> Any help with either or both issues would be greatly appreciated.
>
> Cheers,
> Erik
>
>
>
> ------------------------------
>
> Message: 17
> Date: Sat, 20 Oct 2018 01:47:42 +0200
> From: Gaël THEROND <gael.therond at gmail.com>
> To: Erik McCormick <emccormick at cirrusseven.com>
> Cc: openstack-operators <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] [Octavia] SSL errors polling
> amphorae and missing tenant network interface
> Message-ID:
>
> <CAG+53ua-Hcjjq=_00rUZNsATmWq7g_8uZbMXAB_9VghtR_ByZA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi eric!
>
> Glad I’m not the only one having this issue with the ssl communication
> between the amphora and the CP.
>
> Even if I don’t yet get a clear answer regarding that issue, I think your
> second issue is not an issue as the interface is mounted on a namespace and
> so you’ll need to list all nic even those from namespace.
>
> Use an ip netns ls to get the namespace.
>
> Hope it will help.
>
> Le ven. 19 oct. 2018 à 20:40, Erik McCormick <emccormick at cirrusseven.com> a
> écrit :
>
>> I've been wrestling with getting Octavia up and running and have
>> become stuck on two issues. I'm hoping someone has run into these
>> before. My google foo has come up empty.
>>
>> Issue 1:
>> When the Octavia controller tries to poll the amphora instance, it
>> tries repeatedly and eventually fails. The error on the controller
>> side is:
>>
>> 2018-10-19 14:17:39.181 26 ERROR
>> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
>> retries (currently set to 300) exhausted. The amphora is unavailable.
>> Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
>> exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
>> SSLError(SSLError("bad handshake: Error([('rsa routines',
>> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
>> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
>> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
>> 'tls_process_server_certificate', 'certificate verify
>> failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
>> port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
>> (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
>> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
>> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
>> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
>> 'tls_process_server_certificate', 'certificate verify
>> failed')],)",),))
>>
>> On the amphora side I see:
>> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
>> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
>> ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
>> failure (_ssl.c:1754)
>>
>> I've generated certificates both with the script in the Octavia git
>> repo, and with the Openstack Ansible playbook. I can see that they are
>> present in /etc/octavia/certs.
>>
>> I'm using the Kolla (Queens) containers for the control plane so I'm
>> sure I've satisfied all the python library constraints.
>>
>> Issue 2:
>> I"m not sure how it gets configured, but the tenant network interface
>> (ens6) never comes up. I can spawn other instances on that network
>> with no issue, and I can see that Neutron has the port attached to the
>> instance. However, in the instance this is all I get:
>>
>> ubuntu at amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>> group default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
>> inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
>> valid_lft forever preferred_lft forever
>> inet6 fe80::f816:3eff:fe30:c460/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
>> default qlen 1000
>> link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
>>
>> There's no evidence of the interface anywhere else including udev rules.
>>
>> Any help with either or both issues would be greatly appreciated.
>>
>> Cheers,
>> Erik
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181020/71c8e27a/attachment.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181020_71c8e27a_attachment.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=TZjVFI4W3tEBE7QxcsUIhZ92OpBCz-jlpvaQ856vmEw&e=>>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
> ------------------------------
>
> End of OpenStack-operators Digest, Vol 96, Issue 7
> **************************************************
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
>
More information about the OpenStack-operators
mailing list