[Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Jonathan Mills jonmills at gmail.com
Wed Oct 24 14:46:42 UTC 2018


Iain et al,

Appreciate your feedback.  I work with Michael D. Moore on the same
cluster, and I'm looking at the is_admin_project thing you pointed out.
What I found was that is_project_admin appeared to be True for every single
keystone request I found regardless of user.  There were no explicit
settings in keystone.conf relating to admin_project_name
or admin_project_domain_name.  In the debug logs, Keystone was setting
those values to 'None'.  I went ahead and added the following into
keystone.conf:

[resource]
admin_project_name = admin
admin_project_domain_name = Default

Subsequently, I think we are now seeing a different behavior with regard to
'is_admin_project' in keystone requests.  For example, here it is with the
admin user of the Default domain:

[root at vm013 ~]# openstack --debug image list 2>&1|grep 'is_admin_project'
{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id":
"122576ec3bee490aaec8ff664a9446b4", "name": "admin"}], "is_admin_project":
true, "project": {"domain": {"id": "default", "name": "Default"}, "id":
"ac5b283406ff429291b4b4e958adca3f", "name": "admin"},

And here it is again as the non-admin user 'jonathan' in the Default domain:

[root at vm013 ~]# . keystonerc_jonathan
[root at vm013 ~]# openstack --debug image list 2>&1|grep 'is_admin_project'
{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id":
"edc711368e72409ba25c6342ae9c0f80", "name": "user"}], "is_admin_project":
false, "project": {"domain": {"id": "d473b9495e13484ab391d6b5799ab0e2",
"name": "ndc"}, "id": "b472baecebb24f2f95c7b0c97b34e5c4", "name":
"ozoneaq"},


Okay, so that looks good I guess.  It is different from before, where
is_admin_project was True for both cases.  However, this does not seem to
have fixed the problem in any way.  So I'm thinking that the
is_admin_project part might be a red herring.

non-admin user jonathan @ Default can still see all glance images, even
ones marked private and owned by other tenants.  Not knowing where else to
go with this, I have opened a bug against Glance:
https://bugs.launchpad.net/glance/+bug/1799588

Jonathan



On Tue, Oct 23, 2018 at 7:46 PM iain MacDonnell <iain.macdonnell at oracle.com>
wrote:

>
> It (still) seems like there's something funky about admin/non-admin in
> your case.
>
> You could try "openstack --debug token issue" (in the admin and
> non-admin cases), and examine the token dict that gets output. Look for
> the "roles" list and "is_admin_project".
>
>      ~iain
>
>
>
> On 10/23/2018 03:21 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
> > We have submitted a bug for this
> >
> > https://bugs.launchpad.net/glance/+bug/1799588
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_glance_-2Bbug_1799588&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=Mn2Mcb1CalyYcrdw2IZaS_mFLxT867ZjLCtchHttbP0&e=
> >
> >
> > Mike Moore, M.S.S.E.
> >
> > Systems Engineer, Goddard Private Cloud
> >
> > Michael.D.Moore at nasa.gov <mailto:Michael.D.Moore at nasa.gov>
> >
> > **
> >
> > Hydrogen fusion brightens my day.
> >
> > *From: *"Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> > <michael.d.moore at nasa.gov>
> > *Date: *Saturday, October 20, 2018 at 7:22 PM
> > *To: *Logan Hicks <logan.hicks at live.com>,
> > "openstack-operators at lists.openstack.org"
> > <openstack-operators at lists.openstack.org>
> > *Subject: *Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> > Issue 7
> >
> > The images exist and are bootable. I'm going to trace through the actual
> > code for glance API. Any suggestions on where the show/hide logic is
> > when it filters responses? I'm new to digging through OpenStack code.
> >
> > ------------------------------------------------------------------------
> >
> > *From:*Logan Hicks [logan.hicks at live.com]
> > *Sent:* Friday, October 19, 2018 8:00 PM
> > *To:* openstack-operators at lists.openstack.org
> > *Subject:* Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> > Issue 7
> >
> > Re: Glance Image Visibility Issue? - Non  admin users can see
> >        private images from other tenants (Chris Apsey)
> >
> > I noticed that the image says queued. If Im not mistaken, an image cant
> > have permissions applied until after the image is created, which might
> > explain the issue hes seeing.
> >
> > The object doesnt exist until its made by openstack.
> >
> > Id check to see if something is holding up images being made. Id start
> > with glance.
> >
> > Respectfully,
> >
> > Logan Hicks
> >
> > -------- Original message --------
> >
> > From: openstack-operators-request at lists.openstack.org
> >
> > Date: 10/19/18 7:49 PM (GMT-05:00)
> >
> > To: openstack-operators at lists.openstack.org
> >
> > Subject: OpenStack-operators Digest, Vol 96, Issue 7
> >
> > Send OpenStack-operators mailing list submissions to
> >          openstack-operators at lists.openstack.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> > or, via email, send a message with subject or body 'help' to
> >          openstack-operators-request at lists.openstack.org
> >
> > You can reach the person managing the list at
> >          openstack-operators-owner at lists.openstack.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of OpenStack-operators digest..."
> >
> >
> > Today's Topics:
> >
> >     1. [nova] Removing the CachingScheduler (Matt Riedemann)
> >     2. Re: Glance Image Visibility Issue? - Non admin users can see
> >        private images from other tenants
> >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> >     3. Re: Glance Image Visibility Issue? - Non  admin users can see
> >        private images from other tenants (Chris Apsey)
> >     4. Re: Glance Image Visibility Issue? - Non admin users can see
> >        private images from other tenants (iain MacDonnell)
> >     5. Re: Glance Image Visibility Issue? - Non admin users can see
> >        private images from other tenants
> >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> >     6. Re: Glance Image Visibility Issue? - Non admin users can see
> >        private images from other tenants (iain MacDonnell)
> >     7. Re: Glance Image Visibility Issue? - Non  admin users can see
> >        private images from other tenants (Chris Apsey)
> >     8. osops-tools-monitoring Dependency problems (Tomáš Vondra)
> >     9. [heat][cinder] How to create stack snapshot       including
> volumes
> >        (Christian Zunker)
> >    10. Fleio - OpenStack billing - ver. 1.1 released (Adrian Andreias)
> >    11. Re: [Openstack-sigs] [all] Naming the T   release of OpenStack
> >        (Tony Breeds)
> >    12. Re: Glance Image Visibility Issue? - Non admin users can see
> >        private images from other tenants
> >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> >    13. Re: Glance Image Visibility Issue? - Non admin users can see
> >        private images from other tenants
> >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
> >    14. Re: Fleio - OpenStack billing - ver. 1.1 released (Jay Pipes)
> >    15. Re: Fleio - OpenStack billing - ver. 1.1  released (Mohammed
> Naser)
> >    16. [Octavia] SSL errors polling amphorae and missing tenant
> >        network interface (Erik McCormick)
> >    17. Re: [Octavia] SSL errors polling amphorae and missing tenant
> >        network interface (Gaël THEROND)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Thu, 18 Oct 2018 17:07:00 -0500
> > From: Matt Riedemann <mriedemos at gmail.com>
> > To: "openstack-operators at lists.openstack.org"
> >          <openstack-operators at lists.openstack.org>
> > Subject: [Openstack-operators] [nova] Removing the CachingScheduler
> > Message-ID: <fa0c5339-a54d-6720-ca10-7f0cff12dba1 at gmail.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> > It's been deprecated since Pike, and the time has come to remove it [1].
> >
> > mgagne has been the most vocal CachingScheduler operator I know and he
> > has tested out the "nova-manage placement heal_allocations" CLI, added
> > in Rocky, and said it will work for migrating his deployment from the
> > CachingScheduler to the FilterScheduler + Placement.
> >
> > If you are using the CachingScheduler and have a problem with its
> > removal, now is the time to speak up or forever hold your peace.
> >
> > [1] https://review.openstack.org/#/c/611723/1
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611723_1&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=CcuJbm96l8_bk_DdPB0xbW_A31hIN4eTR0nqDeQk4kM&e=
> >
> >
> > --
> >
> > Thanks,
> >
> > Matt
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 18 Oct 2018 22:11:40 +0000
> > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> >          <michael.d.moore at nasa.gov>
> > To: iain MacDonnell <iain.macdonnell at oracle.com>,
> >          "openstack-operators at lists.openstack.org"
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non admin users can see private images from other tenants
> > Message-ID: <EDBAEC2C-5245-4952-86C9-CDC635667C92 at nasa.gov>
> > Content-Type: text/plain; charset="utf-8"
> >
> > I have replicated this unexpected behavior in a Pike test environment,
> > in addition to our Queens environment.
> >
> >
> >
> > Mike Moore, M.S.S.E.
> >
> > Systems Engineer, Goddard Private Cloud
> > Michael.D.Moore at nasa.gov
> >
> > Hydrogen fusion brightens my day.
> >
> >
> > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> >
> >      Yes. I verified it by creating a non-admin user in a different
> > tenant. I created a new image, set to private with the project defined
> > as our admin tenant.
> >
> >      In the database I can see that the image is 'private' and the owner
> > is the ID of the admin tenant.
> >
> >      Mike Moore, M.S.S.E.
> >
> >      Systems Engineer, Goddard Private Cloud
> >      Michael.D.Moore at nasa.gov
> >
> >      Hydrogen fusion brightens my day.
> >
> >
> >      On 10/18/18, 1:07 AM, "iain MacDonnell"
> > <iain.macdonnell at oracle.com> wrote:
> >
> >
> >
> >          On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >          INTEGRA, INC.] wrote:
> >          > I’m seeing unexpected behavior in our Queens environment
> > related to
> >          > Glance image visibility. Specifically users who, based on my
> >          > understanding of the visibility and ownership fields, should
> > NOT be able
> >          > to see or view the image.
> >          >
> >          > If I create a new image with openstack image create and
> > specify –project
> >          > <tenant> and –private a non-admin user in a different tenant
> > can see and
> >          > boot that image.
> >          >
> >          > That seems to be the opposite of what should happen. Any
> ideas?
> >
> >          Yep, something's not right there.
> >
> >          Are you sure that the user that can see the image doesn't have
> > the admin
> >          role (for the project in its keystone token) ?
> >
> >          Did you verify that the image's owner is what you intended, and
> > that the
> >          visibility really is "private" ?
> >
> >               ~iain
> >
> >          _______________________________________________
> >          OpenStack-operators mailing list
> >          OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >      _______________________________________________
> >      OpenStack-operators mailing list
> >      OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Thu, 18 Oct 2018 18:23:35 -0400
> > From: Chris Apsey <bitskrieg at bitskrieg.net>
> > To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> >          <michael.d.moore at nasa.gov>, iain MacDonnell
> >          <iain.macdonnell at oracle.com>,
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non     admin users can see private images from other tenants
> > Message-ID:
> >          <
> 1668946da70.278c.5f0d7f2baa7831a2bbe6450f254d9a24 at bitskrieg.net>
> > Content-Type: text/plain; format=flowed; charset="UTF-8"
> >
> > Do you have a liberal/custom policy.json that perhaps is causing
> unexpected
> > behavior?  Can't seem to reproduce this.
> >
> > On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> >
> >> I have replicated this unexpected behavior in a Pike test environment,
> in
> >> addition to our Queens environment.
> >>
> >>
> >>
> >> Mike Moore, M.S.S.E.
> >>
> >> Systems Engineer, Goddard Private Cloud
> >> Michael.D.Moore at nasa.gov
> >>
> >> Hydrogen fusion brightens my day.
> >>
> >>
> >> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA,
> >> INC.]" <michael.d.moore at nasa.gov> wrote:
> >>
> >>    Yes. I verified it by creating a non-admin user in a different
> tenant. I
> >>    created a new image, set to private with the project defined as our
> admin
> >>    tenant.
> >>
> >>    In the database I can see that the image is 'private' and the owner
> is the
> >>    ID of the admin tenant.
> >>
> >>    Mike Moore, M.S.S.E.
> >>
> >>    Systems Engineer, Goddard Private Cloud
> >>    Michael.D.Moore at nasa.gov
> >>
> >>    Hydrogen fusion brightens my day.
> >>
> >>
> >>    On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonnell at oracle.com>
> wrote:
> >>
> >>
> >>
> >>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >>        INTEGRA, INC.] wrote:
> >>> I’m seeing unexpected behavior in our Queens environment related to
> >>> Glance image visibility. Specifically users who, based on my
> >>> understanding of the visibility and ownership fields, should NOT be
> able
> >>> to see or view the image.
> >>>
> >>> If I create a new image with openstack image create and specify
> –project
> >>> <tenant> and –private a non-admin user in a different tenant can see
> and
> >>> boot that image.
> >>>
> >>> That seems to be the opposite of what should happen. Any ideas?
> >>
> >>        Yep, something's not right there.
> >>
> >>        Are you sure that the user that can see the image doesn't have
> the admin
> >>        role (for the project in its keystone token) ?
> >>
> >>        Did you verify that the image's owner is what you intended, and
> that the
> >>        visibility really is "private" ?
> >>
> >>             ~iain
> >>
> >>        _______________________________________________
> >>        OpenStack-operators mailing list
> >>        OpenStack-operators at lists.openstack.org
> >>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >>
> >>
> >>    _______________________________________________
> >>    OpenStack-operators mailing list
> >>    OpenStack-operators at lists.openstack.org
> >>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >>
> >>
> >> _______________________________________________
> >> OpenStack-operators mailing list
> >> OpenStack-operators at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Thu, 18 Oct 2018 15:25:22 -0700
> > From: iain MacDonnell <iain.macdonnell at oracle.com>
> > To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> >          <michael.d.moore at nasa.gov>,
> > "openstack-operators at lists.openstack.org"
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non admin users can see private images from other tenants
> > Message-ID: <11e3f7a6-875e-4b6c-259a-147188a860e1 at oracle.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> >
> > I suspect that your non-admin user is not really non-admin. How did you
> > create it?
> >
> > What you have for "context_is_admin" in glance's policy.json ?
> >
> >       ~iain
> >
> >
> > On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.] wrote:
> >> I have replicated this unexpected behavior in a Pike test environment,
> in addition to our Queens environment.
> >>
> >>
> >>
> >> Mike Moore, M.S.S.E.
> >>
> >> Systems Engineer, Goddard Private Cloud
> >> Michael.D.Moore at nasa.gov
> >>
> >> Hydrogen fusion brightens my day.
> >>
> >>
> >> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> >>
> >>      Yes. I verified it by creating a non-admin user in a different
> tenant. I created a new image, set to private with the project defined as
> our admin tenant.
> >>
> >>      In the database I can see that the image is 'private' and the
> owner is the ID of the admin tenant.
> >>
> >>      Mike Moore, M.S.S.E.
> >>
> >>      Systems Engineer, Goddard Private Cloud
> >>      Michael.D.Moore at nasa.gov
> >>
> >>      Hydrogen fusion brightens my day.
> >>
> >>
> >>      On 10/18/18, 1:07 AM, "iain MacDonnell" <
> iain.macdonnell at oracle.com> wrote:
> >>
> >>
> >>
> >>          On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >>          INTEGRA, INC.] wrote:
> >>          > I’m seeing unexpected behavior in our Queens environment
> related to
> >>          > Glance image visibility. Specifically users who, based on my
> >>          > understanding of the visibility and ownership fields, should
> NOT be able
> >>          > to see or view the image.
> >>          >
> >>          > If I create a new image with openstack image create and
> specify –project
> >>          > <tenant> and –private a non-admin user in a different tenant
> can see and
> >>          > boot that image.
> >>          >
> >>          > That seems to be the opposite of what should happen. Any
> ideas?
> >>
> >>          Yep, something's not right there.
> >>
> >>          Are you sure that the user that can see the image doesn't have
> the admin
> >>          role (for the project in its keystone token) ?
> >>
> >>          Did you verify that the image's owner is what you intended,
> and that the
> >>          visibility really is "private" ?
> >>
> >>               ~iain
> >>
> >>          _______________________________________________
> >>          OpenStack-operators mailing list
> >>          OpenStack-operators at lists.openstack.org
> >>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>
> >>
> >>      _______________________________________________
> >>      OpenStack-operators mailing list
> >>      OpenStack-operators at lists.openstack.org
> >>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>
> >>
> >
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Thu, 18 Oct 2018 22:32:42 +0000
> > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> >          <michael.d.moore at nasa.gov>
> > To: iain MacDonnell <iain.macdonnell at oracle.com>,
> >          "openstack-operators at lists.openstack.org"
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non admin users can see private images from other tenants
> > Message-ID: <44085CC4-899C-49B2-9934-0800F6650B0B at nasa.gov>
> > Content-Type: text/plain; charset="utf-8"
> >
> > openstack user create --domain default --password xxxxxxxx
> > --project-domain ndc --project test mike
> >
> >
> > openstack role add --user mike --user-domain default --project test user
> >
> > my admin account is in the NDC domain with a different username.
> >
> >
> >
> > /etc/glance/policy.json
> > {
> >
> > "context_is_admin":  "role:admin",
> > "default": "role:admin",
> >
> > <snip>
> >
> >
> > I'm not terribly familiar with the policies but I feel like that default
> > line is making everyone an admin by default?
> >
> >
> > Mike Moore, M.S.S.E.
> >
> > Systems Engineer, Goddard Private Cloud
> > Michael.D.Moore at nasa.gov
> >
> > Hydrogen fusion brightens my day.
> >
> >
> > On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonnell at oracle.com>
> wrote:
> >
> >
> >      I suspect that your non-admin user is not really non-admin. How did
> > you
> >      create it?
> >
> >      What you have for "context_is_admin" in glance's policy.json ?
> >
> >           ~iain
> >
> >
> >      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >      INTEGRA, INC.] wrote:
> >      > I have replicated this unexpected behavior in a Pike test
> > environment, in addition to our Queens environment.
> >      >
> >      >
> >      >
> >      > Mike Moore, M.S.S.E.
> >      >
> >      > Systems Engineer, Goddard Private Cloud
> >      > Michael.D.Moore at nasa.gov
> >      >
> >      > Hydrogen fusion brightens my day.
> >      >
> >      >
> >      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> >      >
> >      >      Yes. I verified it by creating a non-admin user in a
> > different tenant. I created a new image, set to private with the project
> > defined as our admin tenant.
> >      >
> >      >      In the database I can see that the image is 'private' and
> > the owner is the ID of the admin tenant.
> >      >
> >      >      Mike Moore, M.S.S.E.
> >      >
> >      >      Systems Engineer, Goddard Private Cloud
> >      >      Michael.D.Moore at nasa.gov
> >      >
> >      >      Hydrogen fusion brightens my day.
> >      >
> >      >
> >      >      On 10/18/18, 1:07 AM, "iain MacDonnell"
> > <iain.macdonnell at oracle.com> wrote:
> >      >
> >      >
> >      >
> >      >          On 10/17/2018 12:29 PM, Moore, Michael Dane
> > (GSFC-720.0)[BUSINESS
> >      >          INTEGRA, INC.] wrote:
> >      >          > I’m seeing unexpected behavior in our Queens
> > environment related to
> >      >          > Glance image visibility. Specifically users who, based
> > on my
> >      >          > understanding of the visibility and ownership fields,
> > should NOT be able
> >      >          > to see or view the image.
> >      >          >
> >      >          > If I create a new image with openstack image create
> > and specify –project
> >      >          > <tenant> and –private a non-admin user in a different
> > tenant can see and
> >      >          > boot that image.
> >      >          >
> >      >          > That seems to be the opposite of what should happen.
> > Any ideas?
> >      >
> >      >          Yep, something's not right there.
> >      >
> >      >          Are you sure that the user that can see the image
> > doesn't have the admin
> >      >          role (for the project in its keystone token) ?
> >      >
> >      >          Did you verify that the image's owner is what you
> > intended, and that the
> >      >          visibility really is "private" ?
> >      >
> >      >               ~iain
> >      >
> >      >          _______________________________________________
> >      >          OpenStack-operators mailing list
> >      >          OpenStack-operators at lists.openstack.org
> >      >
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >      >
> >      >
> >      >      _______________________________________________
> >      >      OpenStack-operators mailing list
> >      >      OpenStack-operators at lists.openstack.org
> >      >
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >      >
> >      >
> >
> >
> >
> > ------------------------------
> >
> > Message: 6
> > Date: Thu, 18 Oct 2018 15:48:27 -0700
> > From: iain MacDonnell <iain.macdonnell at oracle.com>
> > To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> >          <michael.d.moore at nasa.gov>,
> > "openstack-operators at lists.openstack.org"
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non admin users can see private images from other tenants
> > Message-ID: <c8bb19c1-8dcb-7f68-db3e-199cefd5c442 at oracle.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> >
> > That all looks fine.
> >
> > I believe that the "default" policy applies in place of any that's not
> > explicitly specified - i.e. "if there's no matching policy below, you
> > need to have the admin role to be able to do it". I do have that line in
> > my policy.json, and I cannot reproduce your problem (see below).
> >
> > I'm not using domains (other than "default"). I wonder if that's a
> factor...
> >
> >       ~iain
> >
> >
> > $ openstack user create --password foo user1
> > +---------------------+----------------------------------+
> > | Field               | Value                            |
> > +---------------------+----------------------------------+
> > | domain_id           | default                          |
> > | enabled             | True                             |
> > | id                  | d18c0031ec56430499a2d690cb1f125c |
> > | name                | user1                            |
> > | options             | {}                               |
> > | password_expires_at | None                             |
> > +---------------------+----------------------------------+
> > $ openstack user create --password foo user2
> > +---------------------+----------------------------------+
> > | Field               | Value                            |
> > +---------------------+----------------------------------+
> > | domain_id           | default                          |
> > | enabled             | True                             |
> > | id                  | be9f1061a5104abd834eabe98dff055d |
> > | name                | user2                            |
> > | options             | {}                               |
> > | password_expires_at | None                             |
> > +---------------------+----------------------------------+
> > $ openstack project create project1
> > +-------------+----------------------------------+
> > | Field       | Value                            |
> > +-------------+----------------------------------+
> > | description |                                  |
> > | domain_id   | default                          |
> > | enabled     | True                             |
> > | id          | 826876d6d3724018bae6253c7f540cb3 |
> > | is_domain   | False                            |
> > | name        | project1                         |
> > | parent_id   | default                          |
> > | tags        | []                               |
> > +-------------+----------------------------------+
> > $ openstack project create project2
> > +-------------+----------------------------------+
> > | Field       | Value                            |
> > +-------------+----------------------------------+
> > | description |                                  |
> > | domain_id   | default                          |
> > | enabled     | True                             |
> > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> > | is_domain   | False                            |
> > | name        | project2                         |
> > | parent_id   | default                          |
> > | tags        | []                               |
> > +-------------+----------------------------------+
> > $ openstack role add --user user1 --project project1 _member_
> > $ openstack role add --user user2 --project project2 _member_
> > $ export OS_PASSWORD=foo
> > $ export OS_USERNAME=user1
> > $ export OS_PROJECT_NAME=project1
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID                                   | Name   | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > +--------------------------------------+--------+--------+
> > $ openstack image create --private image1
> >
> +------------------+------------------------------------------------------------------------------+
> > | Field            | Value
> >                            |
> >
> +------------------+------------------------------------------------------------------------------+
> > | checksum         | None
> >                            |
> > | container_format | bare
> >                            |
> > | created_at       | 2018-10-18T22:17:41Z
> >                            |
> > | disk_format      | raw
> >                            |
> > | file             |
> > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> >       |
> > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> >                            |
> > | min_disk         | 0
> >                            |
> > | min_ram          | 0
> >                            |
> > | name             | image1
> >                            |
> > | owner            | 826876d6d3724018bae6253c7f540cb3
> >                            |
> > | properties       | locations='[]', os_hash_algo='None',
> > os_hash_value='None', os_hidden='False' |
> > | protected        | False
> >                            |
> > | schema           | /v2/schemas/image
> >                            |
> > | size             | None
> >                            |
> > | status           | queued
> >                            |
> > | tags             |
> >                            |
> > | updated_at       | 2018-10-18T22:17:41Z
> >                            |
> > | virtual_size     | None
> >                            |
> > | visibility       | private
> >                            |
> >
> +------------------+------------------------------------------------------------------------------+
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID                                   | Name   | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> > +--------------------------------------+--------+--------+
> > $ export OS_USERNAME=user2
> > $ export OS_PROJECT_NAME=project2
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID                                   | Name   | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > +--------------------------------------+--------+--------+
> > $ export OS_USERNAME=admin
> > $ export OS_PROJECT_NAME=admin
> > $ export OS_PASSWORD=xxx
> > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> > $ export OS_USERNAME=user2
> > $ export OS_PROJECT_NAME=project2
> > $ export OS_PASSWORD=foo
> > $ openstack image list
> > +--------------------------------------+--------+--------+
> > | ID                                   | Name   | Status |
> > +--------------------------------------+--------+--------+
> > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> > +--------------------------------------+--------+--------+
> > $
> >
> >
> > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.] wrote:
> >> openstack user create --domain default --password xxxxxxxx
> --project-domain ndc --project test mike
> >>
> >>
> >> openstack role add --user mike --user-domain default --project test user
> >>
> >> my admin account is in the NDC domain with a different username.
> >>
> >>
> >>
> >> /etc/glance/policy.json
> >> {
> >>
> >> "context_is_admin":  "role:admin",
> >> "default": "role:admin",
> >>
> >> <snip>
> >>
> >>
> >> I'm not terribly familiar with the policies but I feel like that
> default line is making everyone an admin by default?
> >>
> >>
> >> Mike Moore, M.S.S.E.
> >>
> >> Systems Engineer, Goddard Private Cloud
> >> Michael.D.Moore at nasa.gov
> >>
> >> Hydrogen fusion brightens my day.
> >>
> >>
> >> On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonnell at oracle.com>
> wrote:
> >>
> >>
> >>      I suspect that your non-admin user is not really non-admin. How
> did you
> >>      create it?
> >>
> >>      What you have for "context_is_admin" in glance's policy.json ?
> >>
> >>           ~iain
> >>
> >>
> >>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >>      INTEGRA, INC.] wrote:
> >>      > I have replicated this unexpected behavior in a Pike test
> environment, in addition to our Queens environment.
> >>      >
> >>      >
> >>      >
> >>      > Mike Moore, M.S.S.E.
> >>      >
> >>      > Systems Engineer, Goddard Private Cloud
> >>      > Michael.D.Moore at nasa.gov
> >>      >
> >>      > Hydrogen fusion brightens my day.
> >>      >
> >>      >
> >>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> >>      >
> >>      >      Yes. I verified it by creating a non-admin user in a
> different tenant. I created a new image, set to private with the project
> defined as our admin tenant.
> >>      >
> >>      >      In the database I can see that the image is 'private' and
> the owner is the ID of the admin tenant.
> >>      >
> >>      >      Mike Moore, M.S.S.E.
> >>      >
> >>      >      Systems Engineer, Goddard Private Cloud
> >>      >      Michael.D.Moore at nasa.gov
> >>      >
> >>      >      Hydrogen fusion brightens my day.
> >>      >
> >>      >
> >>      >      On 10/18/18, 1:07 AM, "iain MacDonnell" <
> iain.macdonnell at oracle.com> wrote:
> >>      >
> >>      >
> >>      >
> >>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >>      >          INTEGRA, INC.] wrote:
> >>      >          > I’m seeing unexpected behavior in our Queens
> environment related to
> >>      >          > Glance image visibility. Specifically users who,
> based on my
> >>      >          > understanding of the visibility and ownership fields,
> should NOT be able
> >>      >          > to see or view the image.
> >>      >          >
> >>      >          > If I create a new image with openstack image create
> and specify –project
> >>      >          > <tenant> and –private a non-admin user in a different
> tenant can see and
> >>      >          > boot that image.
> >>      >          >
> >>      >          > That seems to be the opposite of what should happen.
> Any ideas?
> >>      >
> >>      >          Yep, something's not right there.
> >>      >
> >>      >          Are you sure that the user that can see the image
> doesn't have the admin
> >>      >          role (for the project in its keystone token) ?
> >>      >
> >>      >          Did you verify that the image's owner is what you
> intended, and that the
> >>      >          visibility really is "private" ?
> >>      >
> >>      >               ~iain
> >>      >
> >>      >          _______________________________________________
> >>      >          OpenStack-operators mailing list
> >>      >          OpenStack-operators at lists.openstack.org
> >>      >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>      >
> >>      >
> >>      >      _______________________________________________
> >>      >      OpenStack-operators mailing list
> >>      >      OpenStack-operators at lists.openstack.org
> >>      >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>      >
> >>      >
> >>
> >>
> >
> >
> >
> > ------------------------------
> >
> > Message: 7
> > Date: Thu, 18 Oct 2018 19:23:42 -0400
> > From: Chris Apsey <bitskrieg at bitskrieg.net>
> > To: iain MacDonnell <iain.macdonnell at oracle.com>, "Moore, Michael Dane
> >          (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <michael.d.moore at nasa.gov
> >,
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non     admin users can see private images from other tenants
> > Message-ID:
> >          <
> 166897de830.278c.5f0d7f2baa7831a2bbe6450f254d9a24 at bitskrieg.net>
> > Content-Type: text/plain; format=flowed; charset="UTF-8"
> >
> > We are using multiple keystone domains - still can't reproduce this.
> >
> > Do you happen to have a customized keystone policy.json?
> >
> > Worst case, I would launch a devstack of your targeted release.  If you
> > can't reproduce the issue there, you would at least know its caused by a
> > nonstandard config rather than a bug (or at least not a bug that's
> present
> > when using a default config)
> >
> > On October 18, 2018 18:50:12 iain MacDonnell <iain.macdonnell at oracle.com
> >
> > wrote:
> >
> >> That all looks fine.
> >>
> >> I believe that the "default" policy applies in place of any that's not
> >> explicitly specified - i.e. "if there's no matching policy below, you
> >> need to have the admin role to be able to do it". I do have that line in
> >> my policy.json, and I cannot reproduce your problem (see below).
> >>
> >> I'm not using domains (other than "default"). I wonder if that's a
> factor...
> >>
> >>     ~iain
> >>
> >>
> >> $ openstack user create --password foo user1
> >> +---------------------+----------------------------------+
> >> | Field               | Value                            |
> >> +---------------------+----------------------------------+
> >> | domain_id           | default                          |
> >> | enabled             | True                             |
> >> | id                  | d18c0031ec56430499a2d690cb1f125c |
> >> | name                | user1                            |
> >> | options             | {}                               |
> >> | password_expires_at | None                             |
> >> +---------------------+----------------------------------+
> >> $ openstack user create --password foo user2
> >> +---------------------+----------------------------------+
> >> | Field               | Value                            |
> >> +---------------------+----------------------------------+
> >> | domain_id           | default                          |
> >> | enabled             | True                             |
> >> | id                  | be9f1061a5104abd834eabe98dff055d |
> >> | name                | user2                            |
> >> | options             | {}                               |
> >> | password_expires_at | None                             |
> >> +---------------------+----------------------------------+
> >> $ openstack project create project1
> >> +-------------+----------------------------------+
> >> | Field       | Value                            |
> >> +-------------+----------------------------------+
> >> | description |                                  |
> >> | domain_id   | default                          |
> >> | enabled     | True                             |
> >> | id          | 826876d6d3724018bae6253c7f540cb3 |
> >> | is_domain   | False                            |
> >> | name        | project1                         |
> >> | parent_id   | default                          |
> >> | tags        | []                               |
> >> +-------------+----------------------------------+
> >> $ openstack project create project2
> >> +-------------+----------------------------------+
> >> | Field       | Value                            |
> >> +-------------+----------------------------------+
> >> | description |                                  |
> >> | domain_id   | default                          |
> >> | enabled     | True                             |
> >> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> >> | is_domain   | False                            |
> >> | name        | project2                         |
> >> | parent_id   | default                          |
> >> | tags        | []                               |
> >> +-------------+----------------------------------+
> >> $ openstack role add --user user1 --project project1 _member_
> >> $ openstack role add --user user2 --project project2 _member_
> >> $ export OS_PASSWORD=foo
> >> $ export OS_USERNAME=user1
> >> $ export OS_PROJECT_NAME=project1
> >> $ openstack image list
> >> +--------------------------------------+--------+--------+
> >> | ID                                   | Name   | Status |
> >> +--------------------------------------+--------+--------+
> >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >> +--------------------------------------+--------+--------+
> >> $ openstack image create --private image1
> >>
> +------------------+------------------------------------------------------------------------------+
> >> | Field            | Value
> >>                          |
> >>
> +------------------+------------------------------------------------------------------------------+
> >> | checksum         | None
> >>                          |
> >> | container_format | bare
> >>                          |
> >> | created_at       | 2018-10-18T22:17:41Z
> >>                          |
> >> | disk_format      | raw
> >>                          |
> >> | file             |
> >> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> >>     |
> >> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> >>                          |
> >> | min_disk         | 0
> >>                          |
> >> | min_ram          | 0
> >>                          |
> >> | name             | image1
> >>                          |
> >> | owner            | 826876d6d3724018bae6253c7f540cb3
> >>                          |
> >> | properties       | locations='[]', os_hash_algo='None',
> >> os_hash_value='None', os_hidden='False' |
> >> | protected        | False
> >>                          |
> >> | schema           | /v2/schemas/image
> >>                          |
> >> | size             | None
> >>                          |
> >> | status           | queued
> >>                          |
> >> | tags             |
> >>                          |
> >> | updated_at       | 2018-10-18T22:17:41Z
> >>                          |
> >> | virtual_size     | None
> >>                          |
> >> | visibility       | private
> >>                          |
> >>
> +------------------+------------------------------------------------------------------------------+
> >> $ openstack image list
> >> +--------------------------------------+--------+--------+
> >> | ID                                   | Name   | Status |
> >> +--------------------------------------+--------+--------+
> >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> >> +--------------------------------------+--------+--------+
> >> $ export OS_USERNAME=user2
> >> $ export OS_PROJECT_NAME=project2
> >> $ openstack image list
> >> +--------------------------------------+--------+--------+
> >> | ID                                   | Name   | Status |
> >> +--------------------------------------+--------+--------+
> >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >> +--------------------------------------+--------+--------+
> >> $ export OS_USERNAME=admin
> >> $ export OS_PROJECT_NAME=admin
> >> $ export OS_PASSWORD=xxx
> >> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> >> $ export OS_USERNAME=user2
> >> $ export OS_PROJECT_NAME=project2
> >> $ export OS_PASSWORD=foo
> >> $ openstack image list
> >> +--------------------------------------+--------+--------+
> >> | ID                                   | Name   | Status |
> >> +--------------------------------------+--------+--------+
> >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> >> +--------------------------------------+--------+--------+
> >> $
> >>
> >>
> >> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >> INTEGRA, INC.] wrote:
> >>> openstack user create --domain default --password xxxxxxxx
> --project-domain
> >>> ndc --project test mike
> >>>
> >>>
> >>> openstack role add --user mike --user-domain default --project test
> user
> >>>
> >>> my admin account is in the NDC domain with a different username.
> >>>
> >>>
> >>>
> >>> /etc/glance/policy.json
> >>> {
> >>>
> >>> "context_is_admin":  "role:admin",
> >>> "default": "role:admin",
> >>>
> >>> <snip>
> >>>
> >>>
> >>> I'm not terribly familiar with the policies but I feel like that
> default
> >>> line is making everyone an admin by default?
> >>>
> >>>
> >>> Mike Moore, M.S.S.E.
> >>>
> >>> Systems Engineer, Goddard Private Cloud
> >>> Michael.D.Moore at nasa.gov
> >>>
> >>> Hydrogen fusion brightens my day.
> >>>
> >>>
> >>> On 10/18/18, 6:25 PM, "iain MacDonnell" <iain.macdonnell at oracle.com>
> wrote:
> >>>
> >>>
> >>> I suspect that your non-admin user is not really non-admin. How did you
> >>> create it?
> >>>
> >>> What you have for "context_is_admin" in glance's policy.json ?
> >>>
> >>>  ~iain
> >>>
> >>>
> >>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >>> INTEGRA, INC.] wrote:
> >>>> I have replicated this unexpected behavior in a Pike test
> environment, in
> >>>> addition to our Queens environment.
> >>>>
> >>>>
> >>>>
> >>>> Mike Moore, M.S.S.E.
> >>>>
> >>>> Systems Engineer, Goddard Private Cloud
> >>>> Michael.D.Moore at nasa.gov
> >>>>
> >>>> Hydrogen fusion brightens my day.
> >>>>
> >>>>
> >>>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA,
> >>>> INC.]" <michael.d.moore at nasa.gov> wrote:
> >>>>
> >>>>    Yes. I verified it by creating a non-admin user in a different
> tenant. I
> >>>>    created a new image, set to private with the project defined as
> our admin
> >>>>    tenant.
> >>>>
> >>>>    In the database I can see that the image is 'private' and the
> owner is the
> >>>>    ID of the admin tenant.
> >>>>
> >>>>    Mike Moore, M.S.S.E.
> >>>>
> >>>>    Systems Engineer, Goddard Private Cloud
> >>>>    Michael.D.Moore at nasa.gov
> >>>>
> >>>>    Hydrogen fusion brightens my day.
> >>>>
> >>>>
> >>>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <
> iain.macdonnell at oracle.com> wrote:
> >>>>
> >>>>
> >>>>
> >>>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >>>>        INTEGRA, INC.] wrote:
> >>>>        > I’m seeing unexpected behavior in our Queens environment
> related to
> >>>>        > Glance image visibility. Specifically users who, based on my
> >>>>        > understanding of the visibility and ownership fields, should
> NOT be able
> >>>>        > to see or view the image.
> >>>>        >
> >>>>        > If I create a new image with openstack image create and
> specify –project
> >>>>        > <tenant> and –private a non-admin user in a different tenant
> can see and
> >>>>        > boot that image.
> >>>>        >
> >>>>        > That seems to be the opposite of what should happen. Any
> ideas?
> >>>>
> >>>>        Yep, something's not right there.
> >>>>
> >>>>        Are you sure that the user that can see the image doesn't have
> the admin
> >>>>        role (for the project in its keystone token) ?
> >>>>
> >>>>        Did you verify that the image's owner is what you intended,
> and that the
> >>>>        visibility really is "private" ?
> >>>>
> >>>>             ~iain
> >>>>
> >>>>        _______________________________________________
> >>>>        OpenStack-operators mailing list
> >>>>        OpenStack-operators at lists.openstack.org
> >>>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>>>
> >>>>
> >>>>    _______________________________________________
> >>>>    OpenStack-operators mailing list
> >>>>    OpenStack-operators at lists.openstack.org
> >>>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >>
> >> _______________________________________________
> >> OpenStack-operators mailing list
> >> OpenStack-operators at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 8
> > Date: Fri, 19 Oct 2018 10:58:30 +0200
> > From: Tomáš Vondra <vondra at homeatcloud.cz>
> > To: <OpenStack-operators at lists.openstack.org>
> > Subject: [Openstack-operators] osops-tools-monitoring Dependency
> >          problems
> > Message-ID: <049e01d46789$e8bf5220$ba3df660$@homeatcloud.cz>
> > Content-Type: text/plain;       charset="iso-8859-2"
> >
> > Hi!
> > I'm a long time user of monitoring-for-openstack, also known as oschecks.
> > Concretely, I used a version from 2015 with OpenStack python client
> > libraries from Kilo. Now I have upgraded them to Mitaka and it got
> broken.
> > Even the latest oschecks don't work. I didn't quite expect that, given
> that
> > there are several commits from this year e.g. by Nagasai Vinaykumar
> > Kapalavai and paramite. Can one of them or some other user step up and
> say
> > what version of OpenStack clients is oschecks working with? Ideally,
> write
> > it down in requirements.txt so that it will be reproducible? Also, some
> > documentation of what is the minimal set of parameters would also come in
> > handy.
> > Thanks a lot, Tomas from Homeatcloud
> >
> > The error messages are as absurd as:
> > oschecks-check_glance_api --os_auth_url='http://10.1.101.30:5000/v2.0
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__10.1.101.30-3A5000_v2.0&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=_OahSWkou5-POtvp2P_0PQEAtRXnl_2ry82DIo_ygQ4&e=
> >'
> > --os_username=monitoring --os_password=XXX --os_tenant_name=monitoring
> >
> > CRITICAL: Traceback (most recent call last):
> >    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 121,
> in
> > safe_run
> >      method()
> >    File "/usr/lib/python2.7/dist-packages/oschecks/glance.py", line 29,
> in
> > _check_glance_api
> >      glance = utils.Glance()
> >    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 177,
> in
> > __init__
> >      self.glance.parser = self.glance.get_base_parser(sys.argv)
> > TypeError: get_base_parser() takes exactly 1 argument (2 given)
> >
> > (I can see 4 parameters on the command line.)
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 9
> > Date: Fri, 19 Oct 2018 11:21:25 +0200
> > From: Christian Zunker <christian.zunker at codecentric.cloud>
> > To: openstack-operators <openstack-operators at lists.openstack.org>
> > Subject: [Openstack-operators] [heat][cinder] How to create stack
> >          snapshot        including volumes
> > Message-ID:
> >
> > <CAHS=D_ZGow+hSPuiicq6z0UrRCb3DxC4hf425uY7+5+Rt+-z5w at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi List,
> >
> > I'd like to take snapshots of heat stacks including the volumes.
> >>From what I found until now, this should be possible. You just have to
> > configure some parts of OpenStack.
> >
> > I enabled cinder-backup with ceph backend. Backups from volumes are
> working.
> > I configured heat to include the option backups_enabled = True.
> >
> > When I use openstack stack snapshot create, I get a snapshot but no
> backups
> > of my volumes. I don't get any error messages in heat. Debug logging
> didn't
> > help either.
> >
> > OpenStack version is Pike on Ubuntu installed with openstack-ansible.
> > heat version is 9.0.3. So this should also include this bugfix:
> > https://bugs.launchpad.net/heat/+bug/1687006
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_heat_-2Bbug_1687006&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=GveynPsCtRgNf5xllOIdz2Y5eNCZAvn4B9xEtzLDi1A&e=
> >
> >
> > Is anybody using this feature? What am I missing?
> >
> > Best regards
> > Christian
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> > <
> http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/bb7dd81b/attachment-0001.html
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_bb7dd81b_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=YCjjLeySrbifzs2-92NmaHNUG4DFb6Ps4CpFzjdo0ts&e=
> >>
> >
> > ------------------------------
> >
> > Message: 10
> > Date: Fri, 19 Oct 2018 12:42:00 +0300
> > From: Adrian Andreias <adrian at fleio.com>
> > To: openstack-operators at lists.openstack.org
> > Subject: [Openstack-operators] Fleio - OpenStack billing - ver. 1.1
> >          released
> > Message-ID:
> >
> > <CACp-FE3gEP=nwXRtwy-H13qXrnhPa5bn0uWiukxWp=YTU-4e8A at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hello,
> >
> > We've just released Fleio version 1.1.
> >
> > Fleio is a billing solution and control panel for OpenStack public clouds
> > and traditional web hosters.
> >
> > Fleio software automates the entire process for cloud users. New
> customers
> > can use Fleio to sign up for an account, pay invoices, add credit to
> their
> > account, as well as create and manage cloud resources such as virtual
> > machines, storage and networking.
> >
> > Full feature list:
> > https://fleio.com#features
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=
> >
> >
> > You can see an online demo:
> > https://fleio.com/demo
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=
> >
> >
> > And sign-up for a free trial:
> > https://fleio.com/signup
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=
> >
> >
> >
> >
> > Cheers!
> >
> > - Adrian Andreias
> > https://fleio.com
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> > <
> http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/3031e47f/attachment-0001.html
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_3031e47f_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=JCagcM_ZjfKNMy6hUc9mScnVifU3IZVyccED28OEhpA&e=
> >>
> >
> > ------------------------------
> >
> > Message: 11
> > Date: Fri, 19 Oct 2018 20:54:29 +1100
> > From: Tony Breeds <tony at bakeyournoodle.com>
> > To: OpenStack Development <openstack-dev at lists.openstack.org>,
> >          OpenStack SIGs <openstack-sigs at lists.openstack.org>, OpenStack
> >          Operators <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] [Openstack-sigs] [all] Naming the T
> >          release of OpenStack
> > Message-ID: <20181019095428.GA9399 at thor.bakeyournoodle.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > On Thu, Oct 18, 2018 at 05:35:39PM +1100, Tony Breeds wrote:
> >> Hello all,
> >>     As per [1] the nomination period for names for the T release have
> >> now closed (actually 3 days ago sorry).  The nominated names and any
> >> qualifying remarks can be seen at2].
> >>
> >> Proposed Names
> >>  * Tarryall
> >>  * Teakettle
> >>  * Teller
> >>  * Telluride
> >>  * Thomas
> >>  * Thornton
> >>  * Tiger
> >>  * Tincup
> >>  * Timnath
> >>  * Timber
> >>  * Tiny Town
> >>  * Torreys
> >>  * Trail
> >>  * Trinidad
> >>  * Treasure
> >>  * Troublesome
> >>  * Trussville
> >>  * Turret
> >>  * Tyrone
> >>
> >> Proposed Names that do not meet the criteria
> >>  * Train
> >
> > I have re-worked my openstack/governance change[1] to ask the TC to
> accept
> > adding Train to the poll as (partially) described in [2].
> >
> > I present the names above to the community and Foundation marketing team
> > for consideration.  The list above does contain Train, clearly if the TC
> > do not approve [1] Train will not be included in the poll when created.
> >
> > I apologise for any offence or slight caused by my previous email in
> > this thread.  It was well intentioned albeit, with hindsight, poorly
> > thought through.
> >
> > Yours Tony.
> >
> > [1] https://review.openstack.org/#/c/611511/
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611511_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=cRWATGRCwFhRInCOOTmTaFGPvMXWXznOs1-pnONNMvA&e=
> >
> > [2]
> >
> https://governance.openstack.org/tc/reference/release-naming.html#release-name-criteria
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__governance.openstack.org_tc_reference_release-2Dnaming.html-23release-2Dname-2Dcriteria&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=ORBvxW9YNjEKlSx6vbG0BIAOLa6sDtdIw1oWC8aGyvA&e=
> >
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: signature.asc
> > Type: application/pgp-signature
> > Size: 488 bytes
> > Desc: not available
> > URL:
> > <
> http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/49c95d5d/attachment-0001.sig
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_49c95d5d_attachment-2D0001.sig&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=jMzO0p4dD0TpgnxO_HTziQRuWfGZJz4W1oPgADf0iw0&e=
> >>
> >
> > ------------------------------
> >
> > Message: 12
> > Date: Fri, 19 Oct 2018 16:33:17 +0000
> > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> >          <michael.d.moore at nasa.gov>
> > To: Chris Apsey <bitskrieg at bitskrieg.net>, iain MacDonnell
> >          <iain.macdonnell at oracle.com>,
> >          "openstack-operators at lists.openstack.org"
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non admin users can see private images from other tenants
> > Message-ID: <4704898B-D193-4540-B106-BF38ACAB68E2 at nasa.gov>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Our NDC domain is LDAP backed. Default is not.
> >
> > Our keystone policy.json file is empty {}
> >
> >
> >
> > Mike Moore, M.S.S.E.
> >
> > Systems Engineer, Goddard Private Cloud
> > Michael.D.Moore at nasa.gov
> >
> > Hydrogen fusion brightens my day.
> >
> >
> > On 10/18/18, 7:24 PM, "Chris Apsey" <bitskrieg at bitskrieg.net> wrote:
> >
> >      We are using multiple keystone domains - still can't reproduce this.
> >
> >      Do you happen to have a customized keystone policy.json?
> >
> >      Worst case, I would launch a devstack of your targeted release.  If
> > you
> >      can't reproduce the issue there, you would at least know its caused
> > by a
> >      nonstandard config rather than a bug (or at least not a bug that's
> > present
> >      when using a default config)
> >
> >      On October 18, 2018 18:50:12 iain MacDonnell
> > <iain.macdonnell at oracle.com>
> >      wrote:
> >
> >      > That all looks fine.
> >      >
> >      > I believe that the "default" policy applies in place of any
> > that's not
> >      > explicitly specified - i.e. "if there's no matching policy below,
> you
> >      > need to have the admin role to be able to do it". I do have that
> > line in
> >      > my policy.json, and I cannot reproduce your problem (see below).
> >      >
> >      > I'm not using domains (other than "default"). I wonder if that's
> > a factor...
> >      >
> >      >     ~iain
> >      >
> >      >
> >      > $ openstack user create --password foo user1
> >      > +---------------------+----------------------------------+
> >      > | Field               | Value                            |
> >      > +---------------------+----------------------------------+
> >      > | domain_id           | default                          |
> >      > | enabled             | True                             |
> >      > | id                  | d18c0031ec56430499a2d690cb1f125c |
> >      > | name                | user1                            |
> >      > | options             | {}                               |
> >      > | password_expires_at | None                             |
> >      > +---------------------+----------------------------------+
> >      > $ openstack user create --password foo user2
> >      > +---------------------+----------------------------------+
> >      > | Field               | Value                            |
> >      > +---------------------+----------------------------------+
> >      > | domain_id           | default                          |
> >      > | enabled             | True                             |
> >      > | id                  | be9f1061a5104abd834eabe98dff055d |
> >      > | name                | user2                            |
> >      > | options             | {}                               |
> >      > | password_expires_at | None                             |
> >      > +---------------------+----------------------------------+
> >      > $ openstack project create project1
> >      > +-------------+----------------------------------+
> >      > | Field       | Value                            |
> >      > +-------------+----------------------------------+
> >      > | description |                                  |
> >      > | domain_id   | default                          |
> >      > | enabled     | True                             |
> >      > | id          | 826876d6d3724018bae6253c7f540cb3 |
> >      > | is_domain   | False                            |
> >      > | name        | project1                         |
> >      > | parent_id   | default                          |
> >      > | tags        | []                               |
> >      > +-------------+----------------------------------+
> >      > $ openstack project create project2
> >      > +-------------+----------------------------------+
> >      > | Field       | Value                            |
> >      > +-------------+----------------------------------+
> >      > | description |                                  |
> >      > | domain_id   | default                          |
> >      > | enabled     | True                             |
> >      > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> >      > | is_domain   | False                            |
> >      > | name        | project2                         |
> >      > | parent_id   | default                          |
> >      > | tags        | []                               |
> >      > +-------------+----------------------------------+
> >      > $ openstack role add --user user1 --project project1 _member_
> >      > $ openstack role add --user user2 --project project2 _member_
> >      > $ export OS_PASSWORD=foo
> >      > $ export OS_USERNAME=user1
> >      > $ export OS_PROJECT_NAME=project1
> >      > $ openstack image list
> >      > +--------------------------------------+--------+--------+
> >      > | ID                                   | Name   | Status |
> >      > +--------------------------------------+--------+--------+
> >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >      > +--------------------------------------+--------+--------+
> >      > $ openstack image create --private image1
> >      >
> >
> +------------------+------------------------------------------------------------------------------+
> >      > | Field            | Value
> >      >                          |
> >      >
> >
> +------------------+------------------------------------------------------------------------------+
> >      > | checksum         | None
> >      >                          |
> >      > | container_format | bare
> >      >                          |
> >      > | created_at       | 2018-10-18T22:17:41Z
> >      >                          |
> >      > | disk_format      | raw
> >      >                          |
> >      > | file             |
> >      > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> >      >     |
> >      > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> >      >                          |
> >      > | min_disk         | 0
> >      >                          |
> >      > | min_ram          | 0
> >      >                          |
> >      > | name             | image1
> >      >                          |
> >      > | owner            | 826876d6d3724018bae6253c7f540cb3
> >      >                          |
> >      > | properties       | locations='[]', os_hash_algo='None',
> >      > os_hash_value='None', os_hidden='False' |
> >      > | protected        | False
> >      >                          |
> >      > | schema           | /v2/schemas/image
> >      >                          |
> >      > | size             | None
> >      >                          |
> >      > | status           | queued
> >      >                          |
> >      > | tags             |
> >      >                          |
> >      > | updated_at       | 2018-10-18T22:17:41Z
> >      >                          |
> >      > | virtual_size     | None
> >      >                          |
> >      > | visibility       | private
> >      >                          |
> >      >
> >
> +------------------+------------------------------------------------------------------------------+
> >      > $ openstack image list
> >      > +--------------------------------------+--------+--------+
> >      > | ID                                   | Name   | Status |
> >      > +--------------------------------------+--------+--------+
> >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> >      > +--------------------------------------+--------+--------+
> >      > $ export OS_USERNAME=user2
> >      > $ export OS_PROJECT_NAME=project2
> >      > $ openstack image list
> >      > +--------------------------------------+--------+--------+
> >      > | ID                                   | Name   | Status |
> >      > +--------------------------------------+--------+--------+
> >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >      > +--------------------------------------+--------+--------+
> >      > $ export OS_USERNAME=admin
> >      > $ export OS_PROJECT_NAME=admin
> >      > $ export OS_PASSWORD=xxx
> >      > $ openstack image set --public
> 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> >      > $ export OS_USERNAME=user2
> >      > $ export OS_PROJECT_NAME=project2
> >      > $ export OS_PASSWORD=foo
> >      > $ openstack image list
> >      > +--------------------------------------+--------+--------+
> >      > | ID                                   | Name   | Status |
> >      > +--------------------------------------+--------+--------+
> >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> >      > +--------------------------------------+--------+--------+
> >      > $
> >      >
> >      >
> >      > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >      > INTEGRA, INC.] wrote:
> >      >> openstack user create --domain default --password xxxxxxxx
> > --project-domain
> >      >> ndc --project test mike
> >      >>
> >      >>
> >      >> openstack role add --user mike --user-domain default --project
> > test user
> >      >>
> >      >> my admin account is in the NDC domain with a different username.
> >      >>
> >      >>
> >      >>
> >      >> /etc/glance/policy.json
> >      >> {
> >      >>
> >      >> "context_is_admin":  "role:admin",
> >      >> "default": "role:admin",
> >      >>
> >      >> <snip>
> >      >>
> >      >>
> >      >> I'm not terribly familiar with the policies but I feel like that
> > default
> >      >> line is making everyone an admin by default?
> >      >>
> >      >>
> >      >> Mike Moore, M.S.S.E.
> >      >>
> >      >> Systems Engineer, Goddard Private Cloud
> >      >> Michael.D.Moore at nasa.gov
> >      >>
> >      >> Hydrogen fusion brightens my day.
> >      >>
> >      >>
> >      >> On 10/18/18, 6:25 PM, "iain MacDonnell"
> > <iain.macdonnell at oracle.com> wrote:
> >      >>
> >      >>
> >      >> I suspect that your non-admin user is not really non-admin. How
> > did you
> >      >> create it?
> >      >>
> >      >> What you have for "context_is_admin" in glance's policy.json ?
> >      >>
> >      >>  ~iain
> >      >>
> >      >>
> >      >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> >      >> INTEGRA, INC.] wrote:
> >      >>> I have replicated this unexpected behavior in a Pike test
> > environment, in
> >      >>> addition to our Queens environment.
> >      >>>
> >      >>>
> >      >>>
> >      >>> Mike Moore, M.S.S.E.
> >      >>>
> >      >>> Systems Engineer, Goddard Private Cloud
> >      >>> Michael.D.Moore at nasa.gov
> >      >>>
> >      >>> Hydrogen fusion brightens my day.
> >      >>>
> >      >>>
> >      >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
> > (GSFC-720.0)[BUSINESS INTEGRA,
> >      >>> INC.]" <michael.d.moore at nasa.gov> wrote:
> >      >>>
> >      >>>    Yes. I verified it by creating a non-admin user in a
> > different tenant. I
> >      >>>    created a new image, set to private with the project defined
> > as our admin
> >      >>>    tenant.
> >      >>>
> >      >>>    In the database I can see that the image is 'private' and
> > the owner is the
> >      >>>    ID of the admin tenant.
> >      >>>
> >      >>>    Mike Moore, M.S.S.E.
> >      >>>
> >      >>>    Systems Engineer, Goddard Private Cloud
> >      >>>    Michael.D.Moore at nasa.gov
> >      >>>
> >      >>>    Hydrogen fusion brightens my day.
> >      >>>
> >      >>>
> >      >>>    On 10/18/18, 1:07 AM, "iain MacDonnell"
> > <iain.macdonnell at oracle.com> wrote:
> >      >>>
> >      >>>
> >      >>>
> >      >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
> > (GSFC-720.0)[BUSINESS
> >      >>>        INTEGRA, INC.] wrote:
> >      >>>        > I’m seeing unexpected behavior in our Queens
> > environment related to
> >      >>>        > Glance image visibility. Specifically users who, based
> > on my
> >      >>>        > understanding of the visibility and ownership fields,
> > should NOT be able
> >      >>>        > to see or view the image.
> >      >>>        >
> >      >>>        > If I create a new image with openstack image create
> > and specify –project
> >      >>>        > <tenant> and –private a non-admin user in a different
> > tenant can see and
> >      >>>        > boot that image.
> >      >>>        >
> >      >>>        > That seems to be the opposite of what should happen.
> > Any ideas?
> >      >>>
> >      >>>        Yep, something's not right there.
> >      >>>
> >      >>>        Are you sure that the user that can see the image
> > doesn't have the admin
> >      >>>        role (for the project in its keystone token) ?
> >      >>>
> >      >>>        Did you verify that the image's owner is what you
> > intended, and that the
> >      >>>        visibility really is "private" ?
> >      >>>
> >      >>>             ~iain
> >      >>>
> >      >>>        _______________________________________________
> >      >>>        OpenStack-operators mailing list
> >      >>>        OpenStack-operators at lists.openstack.org
> >      >>>
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >      >>>
> >      >>>
> >      >>>    _______________________________________________
> >      >>>    OpenStack-operators mailing list
> >      >>>    OpenStack-operators at lists.openstack.org
> >      >>>
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >      >
> >      > _______________________________________________
> >      > OpenStack-operators mailing list
> >      > OpenStack-operators at lists.openstack.org
> >      >
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 13
> > Date: Fri, 19 Oct 2018 16:54:12 +0000
> > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> >          <michael.d.moore at nasa.gov>
> > To: Chris Apsey <bitskrieg at bitskrieg.net>, iain MacDonnell
> >          <iain.macdonnell at oracle.com>,
> >          "openstack-operators at lists.openstack.org"
> >          <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
> >          Non admin users can see private images from other tenants
> > Message-ID: <A5FD0CCA-8B13-424D-A8F2-E6ACECF58C23 at nasa.gov>
> > Content-Type: text/plain; charset="utf-8"
> >
> >
> > For reference, here is our full glance policy.json
> >
> >
> > {
> >      "context_is_admin":  "role:admin",
> >      "default": "role:admin",
> >
> >      "add_image": "",
> >      "delete_image": "",
> >      "get_image": "",
> >      "get_images": "",
> >      "modify_image": "",
> >      "publicize_image": "role:admin",
> >      "communitize_image": "",
> >      "copy_from": "",
> >
> >      "download_image": "",
> >      "upload_image": "",
> >
> >      "delete_image_location": "",
> >      "get_image_location": "",
> >      "set_image_location": "",
> >
> >      "add_member": "",
> >      "delete_member": "",
> >      "get_member": "",
> >      "get_members": "",
> >      "modify_member": "",
> >
> >      "manage_image_cache": "role:admin",
> >
> >      "get_task": "",
> >      "get_tasks": "",
> >      "add_task": "",
> >      "modify_task": "",
> >      "tasks_api_access": "role:admin",
> >
> >      "deactivate": "",
> >      "reactivate": "",
> >
> >      "get_metadef_namespace": "",
> >      "get_metadef_namespaces":"",
> >      "modify_metadef_namespace":"",
> >      "add_metadef_namespace":"",
> >
> >      "get_metadef_object":"",
> >      "get_metadef_objects":"",
> >      "modify_metadef_object":"",
> >      "add_metadef_object":"",
> >
> >      "list_metadef_resource_types":"",
> >      "get_metadef_resource_type":"",
> >      "add_metadef_resource_type_association":"",
> >
> >      "get_metadef_property":"",
> >      "get_metadef_properties":"",
> >      "modify_metadef_property":"",
> >      "add_metadef_property":"",
> >
> >      "get_metadef_tag":"",
> >      "get_metadef_tags":"",
> >      "modify_metadef_tag":"",
> >      "add_metadef_tag":"",
> >      "add_metadef_tags":""
> >
> > }
> >
> >
> > Mike Moore, M.S.S.E.
> >
> > Systems Engineer, Goddard Private Cloud
> > Michael.D.Moore at nasa.gov
> >
> > Hydrogen fusion brightens my day.
> >
> >
> > On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> > INTEGRA, INC.]" <michael.d.moore at nasa.gov> wrote:
> >
> >      Our NDC domain is LDAP backed. Default is not.
> >
> >      Our keystone policy.json file is empty {}
> >
> >
> >
> >      Mike Moore, M.S.S.E.
> >
> >      Systems Engineer, Goddard Private Cloud
> >      Michael.D.Moore at nasa.gov
> >
> >      Hydrogen fusion brightens my day.
> >
> >
> >      On 10/18/18, 7:24 PM, "Chris Apsey" <bitskrieg at bitskrieg.net>
> wrote:
> >
> >          We are using multiple keystone domains - still can't reproduce
> > this.
> >
> >          Do you happen to have a customized keystone policy.json?
> >
> >          Worst case, I would launch a devstack of your targeted
> > release.  If you
> >          can't reproduce the issue there, you would at least know its
> > caused by a
> >          nonstandard config rather than a bug (or at least not a bug
> > that's present
> >          when using a default config)
> >
> >          On October 18, 2018 18:50:12 iain MacDonnell
> > <iain.macdonnell at oracle.com>
> >          wrote:
> >
> >          > That all looks fine.
> >          >
> >          > I believe that the "default" policy applies in place of any
> > that's not
> >          > explicitly specified - i.e. "if there's no matching policy
> > below, you
> >          > need to have the admin role to be able to do it". I do have
> > that line in
> >          > my policy.json, and I cannot reproduce your problem (see
> below).
> >          >
> >          > I'm not using domains (other than "default"). I wonder if
> > that's a factor...
> >          >
> >          >     ~iain
> >          >
> >          >
> >          > $ openstack user create --password foo user1
> >          > +---------------------+----------------------------------+
> >          > | Field               | Value                            |
> >          > +---------------------+----------------------------------+
> >          > | domain_id           | default                          |
> >          > | enabled             | True                             |
> >          > | id                  | d18c0031ec56430499a2d690cb1f125c |
> >          > | name                | user1                            |
> >          > | options             | {}                               |
> >          > | password_expires_at | None                             |
> >          > +---------------------+----------------------------------+
> >          > $ openstack user create --password foo user2
> >          > +---------------------+----------------------------------+
> >          > | Field               | Value                            |
> >          > +---------------------+----------------------------------+
> >          > | domain_id           | default                          |
> >          > | enabled             | True                             |
> >          > | id                  | be9f1061a5104abd834eabe98dff055d |
> >          > | name                | user2                            |
> >          > | options             | {}                               |
> >          > | password_expires_at | None                             |
> >          > +---------------------+----------------------------------+
> >          > $ openstack project create project1
> >          > +-------------+----------------------------------+
> >          > | Field       | Value                            |
> >          > +-------------+----------------------------------+
> >          > | description |                                  |
> >          > | domain_id   | default                          |
> >          > | enabled     | True                             |
> >          > | id          | 826876d6d3724018bae6253c7f540cb3 |
> >          > | is_domain   | False                            |
> >          > | name        | project1                         |
> >          > | parent_id   | default                          |
> >          > | tags        | []                               |
> >          > +-------------+----------------------------------+
> >          > $ openstack project create project2
> >          > +-------------+----------------------------------+
> >          > | Field       | Value                            |
> >          > +-------------+----------------------------------+
> >          > | description |                                  |
> >          > | domain_id   | default                          |
> >          > | enabled     | True                             |
> >          > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> >          > | is_domain   | False                            |
> >          > | name        | project2                         |
> >          > | parent_id   | default                          |
> >          > | tags        | []                               |
> >          > +-------------+----------------------------------+
> >          > $ openstack role add --user user1 --project project1 _member_
> >          > $ openstack role add --user user2 --project project2 _member_
> >          > $ export OS_PASSWORD=foo
> >          > $ export OS_USERNAME=user1
> >          > $ export OS_PROJECT_NAME=project1
> >          > $ openstack image list
> >          > +--------------------------------------+--------+--------+
> >          > | ID                                   | Name   | Status |
> >          > +--------------------------------------+--------+--------+
> >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >          > +--------------------------------------+--------+--------+
> >          > $ openstack image create --private image1
> >          >
> >
> +------------------+------------------------------------------------------------------------------+
> >          > | Field            | Value
> >          >                          |
> >          >
> >
> +------------------+------------------------------------------------------------------------------+
> >          > | checksum         | None
> >          >                          |
> >          > | container_format | bare
> >          >                          |
> >          > | created_at       | 2018-10-18T22:17:41Z
> >          >                          |
> >          > | disk_format      | raw
> >          >                          |
> >          > | file             |
> >          > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> >          >     |
> >          > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> >          >                          |
> >          > | min_disk         | 0
> >          >                          |
> >          > | min_ram          | 0
> >          >                          |
> >          > | name             | image1
> >          >                          |
> >          > | owner            | 826876d6d3724018bae6253c7f540cb3
> >          >                          |
> >          > | properties       | locations='[]', os_hash_algo='None',
> >          > os_hash_value='None', os_hidden='False' |
> >          > | protected        | False
> >          >                          |
> >          > | schema           | /v2/schemas/image
> >          >                          |
> >          > | size             | None
> >          >                          |
> >          > | status           | queued
> >          >                          |
> >          > | tags             |
> >          >                          |
> >          > | updated_at       | 2018-10-18T22:17:41Z
> >          >                          |
> >          > | virtual_size     | None
> >          >                          |
> >          > | visibility       | private
> >          >                          |
> >          >
> >
> +------------------+------------------------------------------------------------------------------+
> >          > $ openstack image list
> >          > +--------------------------------------+--------+--------+
> >          > | ID                                   | Name   | Status |
> >          > +--------------------------------------+--------+--------+
> >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >          > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> >          > +--------------------------------------+--------+--------+
> >          > $ export OS_USERNAME=user2
> >          > $ export OS_PROJECT_NAME=project2
> >          > $ openstack image list
> >          > +--------------------------------------+--------+--------+
> >          > | ID                                   | Name   | Status |
> >          > +--------------------------------------+--------+--------+
> >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >          > +--------------------------------------+--------+--------+
> >          > $ export OS_USERNAME=admin
> >          > $ export OS_PROJECT_NAME=admin
> >          > $ export OS_PASSWORD=xxx
> >          > $ openstack image set --public
> > 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> >          > $ export OS_USERNAME=user2
> >          > $ export OS_PROJECT_NAME=project2
> >          > $ export OS_PASSWORD=foo
> >          > $ openstack image list
> >          > +--------------------------------------+--------+--------+
> >          > | ID                                   | Name   | Status |
> >          > +--------------------------------------+--------+--------+
> >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> >          > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> >          > +--------------------------------------+--------+--------+
> >          > $
> >          >
> >          >
> >          > On 10/18/2018 03:32 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
> >          > INTEGRA, INC.] wrote:
> >          >> openstack user create --domain default --password xxxxxxxx
> > --project-domain
> >          >> ndc --project test mike
> >          >>
> >          >>
> >          >> openstack role add --user mike --user-domain default
> > --project test user
> >          >>
> >          >> my admin account is in the NDC domain with a different
> username.
> >          >>
> >          >>
> >          >>
> >          >> /etc/glance/policy.json
> >          >> {
> >          >>
> >          >> "context_is_admin":  "role:admin",
> >          >> "default": "role:admin",
> >          >>
> >          >> <snip>
> >          >>
> >          >>
> >          >> I'm not terribly familiar with the policies but I feel like
> > that default
> >          >> line is making everyone an admin by default?
> >          >>
> >          >>
> >          >> Mike Moore, M.S.S.E.
> >          >>
> >          >> Systems Engineer, Goddard Private Cloud
> >          >> Michael.D.Moore at nasa.gov
> >          >>
> >          >> Hydrogen fusion brightens my day.
> >          >>
> >          >>
> >          >> On 10/18/18, 6:25 PM, "iain MacDonnell"
> > <iain.macdonnell at oracle.com> wrote:
> >          >>
> >          >>
> >          >> I suspect that your non-admin user is not really non-admin.
> > How did you
> >          >> create it?
> >          >>
> >          >> What you have for "context_is_admin" in glance's policy.json
> ?
> >          >>
> >          >>  ~iain
> >          >>
> >          >>
> >          >> On 10/18/2018 03:11 PM, Moore, Michael Dane
> > (GSFC-720.0)[BUSINESS
> >          >> INTEGRA, INC.] wrote:
> >          >>> I have replicated this unexpected behavior in a Pike test
> > environment, in
> >          >>> addition to our Queens environment.
> >          >>>
> >          >>>
> >          >>>
> >          >>> Mike Moore, M.S.S.E.
> >          >>>
> >          >>> Systems Engineer, Goddard Private Cloud
> >          >>> Michael.D.Moore at nasa.gov
> >          >>>
> >          >>> Hydrogen fusion brightens my day.
> >          >>>
> >          >>>
> >          >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
> > (GSFC-720.0)[BUSINESS INTEGRA,
> >          >>> INC.]" <michael.d.moore at nasa.gov> wrote:
> >          >>>
> >          >>>    Yes. I verified it by creating a non-admin user in a
> > different tenant. I
> >          >>>    created a new image, set to private with the project
> > defined as our admin
> >          >>>    tenant.
> >          >>>
> >          >>>    In the database I can see that the image is 'private'
> > and the owner is the
> >          >>>    ID of the admin tenant.
> >          >>>
> >          >>>    Mike Moore, M.S.S.E.
> >          >>>
> >          >>>    Systems Engineer, Goddard Private Cloud
> >          >>>    Michael.D.Moore at nasa.gov
> >          >>>
> >          >>>    Hydrogen fusion brightens my day.
> >          >>>
> >          >>>
> >          >>>    On 10/18/18, 1:07 AM, "iain MacDonnell"
> > <iain.macdonnell at oracle.com> wrote:
> >          >>>
> >          >>>
> >          >>>
> >          >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
> > (GSFC-720.0)[BUSINESS
> >          >>>        INTEGRA, INC.] wrote:
> >          >>>        > I’m seeing unexpected behavior in our Queens
> > environment related to
> >          >>>        > Glance image visibility. Specifically users who,
> > based on my
> >          >>>        > understanding of the visibility and ownership
> > fields, should NOT be able
> >          >>>        > to see or view the image.
> >          >>>        >
> >          >>>        > If I create a new image with openstack image
> > create and specify –project
> >          >>>        > <tenant> and –private a non-admin user in a
> > different tenant can see and
> >          >>>        > boot that image.
> >          >>>        >
> >          >>>        > That seems to be the opposite of what should
> > happen. Any ideas?
> >          >>>
> >          >>>        Yep, something's not right there.
> >          >>>
> >          >>>        Are you sure that the user that can see the image
> > doesn't have the admin
> >          >>>        role (for the project in its keystone token) ?
> >          >>>
> >          >>>        Did you verify that the image's owner is what you
> > intended, and that the
> >          >>>        visibility really is "private" ?
> >          >>>
> >          >>>             ~iain
> >          >>>
> >          >>>        _______________________________________________
> >          >>>        OpenStack-operators mailing list
> >          >>>        OpenStack-operators at lists.openstack.org
> >          >>>
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >          >>>
> >          >>>
> >          >>>    _______________________________________________
> >          >>>    OpenStack-operators mailing list
> >          >>>    OpenStack-operators at lists.openstack.org
> >          >>>
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
> >          >
> >          > _______________________________________________
> >          > OpenStack-operators mailing list
> >          > OpenStack-operators at lists.openstack.org
> >          >
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >
> >
> >
> >      _______________________________________________
> >      OpenStack-operators mailing list
> >      OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 14
> > Date: Fri, 19 Oct 2018 13:45:03 -0400
> > From: Jay Pipes <jaypipes at gmail.com>
> > To: openstack-operators at lists.openstack.org
> > Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
> >          1.1 released
> > Message-ID: <b3f680a3-71ef-5c55-6dea-d71c9d973640 at gmail.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> > Please do not use these mailing lists to advertise
> > closed-source/proprietary software solutions.
> >
> > Thank you,
> > -jay
> >
> > On 10/19/2018 05:42 AM, Adrian Andreias wrote:
> >> Hello,
> >>
> >> We've just released Fleio version 1.1.
> >>
> >> Fleio is a billing solution and control panel for OpenStack public
> >> clouds and traditional web hosters.
> >>
> >> Fleio software automates the entire process for cloud users. New
> >> customers can use Fleio to sign up for an account, pay invoices, add
> >> credit to their account, as well as create and manage cloud resources
> >> such as virtual machines, storage and networking.
> >>
> >> Full feature list:
> >> https://fleio.com#features
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=
> >
> >>
> >> You can see an online demo:
> >> https://fleio.com/demo
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=
> >
> >>
> >> And sign-up for a free trial:
> >> https://fleio.com/signup
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=
> >
> >>
> >>
> >>
> >> Cheers!
> >>
> >> - Adrian Andreias
> >> https://fleio.com
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=
> >
> >>
> >>
> >>
> >> _______________________________________________
> >> OpenStack-operators mailing list
> >> OpenStack-operators at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >>
> >
> >
> >
> > ------------------------------
> >
> > Message: 15
> > Date: Fri, 19 Oct 2018 20:13:40 +0200
> > From: Mohammed Naser <mnaser at vexxhost.com>
> > To: jaypipes at gmail.com
> > Cc: openstack-operators <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
> >          1.1     released
> > Message-ID:
> >
> > <CAEs876gDHPFjgxnD+HHKyP782u2XX0attJq9dYiYFDibc6DTZQ at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > On Fri, Oct 19, 2018 at 7:45 PM Jay Pipes <jaypipes at gmail.com> wrote:
> >>
> >> Please do not use these mailing lists to advertise
> >> closed-source/proprietary software solutions.
> >
> > +1
> >
> >> Thank you,
> >> -jay
> >>
> >> On 10/19/2018 05:42 AM, Adrian Andreias wrote:
> >> > Hello,
> >> >
> >> > We've just released Fleio version 1.1.
> >> >
> >> > Fleio is a billing solution and control panel for OpenStack public
> >> > clouds and traditional web hosters.
> >> >
> >> > Fleio software automates the entire process for cloud users. New
> >> > customers can use Fleio to sign up for an account, pay invoices, add
> >> > credit to their account, as well as create and manage cloud resources
> >> > such as virtual machines, storage and networking.
> >> >
> >> > Full feature list:
> >> > https://fleio.com#features
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=
> >
> >> >
> >> > You can see an online demo:
> >> > https://fleio.com/demo
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=
> >
> >> >
> >> > And sign-up for a free trial:
> >> > https://fleio.com/signup
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=
> >
> >> >
> >> >
> >> >
> >> > Cheers!
> >> >
> >> > - Adrian Andreias
> >> > https://fleio.com
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=
> >
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > OpenStack-operators mailing list
> >> > OpenStack-operators at lists.openstack.org
> >> >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >> >
> >>
> >> _______________________________________________
> >> OpenStack-operators mailing list
> >> OpenStack-operators at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> >
> > --
> > Mohammed Naser — vexxhost
> > -----------------------------------------------------
> > D. 514-316-8872
> > D. 800-910-1726 ext. 200
> > E. mnaser at vexxhost.com
> > W. http://vexxhost.com
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__vexxhost.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=bq9EPen7RattOa34V0HaOLcBDca21nN47DlkgOKUYMM&e=
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 16
> > Date: Fri, 19 Oct 2018 14:39:29 -0400
> > From: Erik McCormick <emccormick at cirrusseven.com>
> > To: openstack-operators <openstack-operators at lists.openstack.org>
> > Subject: [Openstack-operators] [Octavia] SSL errors polling amphorae
> >          and     missing tenant network interface
> > Message-ID:
> >
> > <CAHUi5cNByYFRr4vHY9iAEhAFc=MhdjhBWHNArCQG0D-w-Z2gFg at mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > I've been wrestling with getting Octavia up and running and have
> > become stuck on two issues. I'm hoping someone has run into these
> > before. My google foo has come up empty.
> >
> > Issue 1:
> > When the Octavia controller tries to poll the amphora instance, it
> > tries repeatedly and eventually fails. The error on the controller
> > side is:
> >
> > 2018-10-19 14:17:39.181 26 ERROR
> > octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
> > retries (currently set to 300) exhausted.  The amphora is unavailable.
> > Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
> > exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
> > SSLError(SSLError("bad handshake: Error([('rsa routines',
> > 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> > 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> > routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> > 'tls_process_server_certificate', 'certificate verify
> > failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
> > port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
> > (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
> > 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> > 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> > routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> > 'tls_process_server_certificate', 'certificate verify
> > failed')],)",),))
> >
> > On the amphora side I see:
> > [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
> > [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
> > ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
> > failure (_ssl.c:1754)
> >
> > I've generated certificates both with the script in the Octavia git
> > repo, and with the Openstack Ansible playbook. I can see that they are
> > present in /etc/octavia/certs.
> >
> > I'm using the Kolla (Queens) containers for the control plane so I'm
> > sure I've satisfied all the python library constraints.
> >
> > Issue 2:
> > I"m not sure how it gets configured, but the tenant network interface
> > (ens6) never comes up. I can spawn other instances on that network
> > with no issue, and I can see that Neutron has the port attached to the
> > instance. However, in the instance this is all I get:
> >
> > ubuntu at amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1
> >      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >      inet 127.0.0.1/8 scope host lo
> >         valid_lft forever preferred_lft forever
> >      inet6 ::1/128 scope host
> >         valid_lft forever preferred_lft forever
> > 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
> > state UP group default qlen 1000
> >      link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
> >      inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
> >         valid_lft forever preferred_lft forever
> >      inet6 fe80::f816:3eff:fe30:c460/64 scope link
> >         valid_lft forever preferred_lft forever
> > 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> > default qlen 1000
> >      link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
> >
> > There's no evidence of the interface anywhere else including udev rules.
> >
> > Any help with either or both issues would be greatly appreciated.
> >
> > Cheers,
> > Erik
> >
> >
> >
> > ------------------------------
> >
> > Message: 17
> > Date: Sat, 20 Oct 2018 01:47:42 +0200
> > From: Gaël THEROND <gael.therond at gmail.com>
> > To: Erik McCormick <emccormick at cirrusseven.com>
> > Cc: openstack-operators <openstack-operators at lists.openstack.org>
> > Subject: Re: [Openstack-operators] [Octavia] SSL errors polling
> >          amphorae and missing tenant network interface
> > Message-ID:
> >
> > <CAG+53ua-Hcjjq=_00rUZNsATmWq7g_8uZbMXAB_9VghtR_ByZA at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi eric!
> >
> > Glad I’m not the only one having this issue with the ssl communication
> > between the amphora and the CP.
> >
> > Even if I don’t yet get a clear answer regarding that issue, I think your
> > second issue is not an issue as the interface is mounted on a namespace
> and
> > so you’ll need to list all nic even those from namespace.
> >
> > Use an ip netns ls to get the namespace.
> >
> > Hope it will help.
> >
> > Le ven. 19 oct. 2018 à 20:40, Erik McCormick <emccormick at cirrusseven.com>
> a
> > écrit :
> >
> >> I've been wrestling with getting Octavia up and running and have
> >> become stuck on two issues. I'm hoping someone has run into these
> >> before. My google foo has come up empty.
> >>
> >> Issue 1:
> >> When the Octavia controller tries to poll the amphora instance, it
> >> tries repeatedly and eventually fails. The error on the controller
> >> side is:
> >>
> >> 2018-10-19 14:17:39.181 26 ERROR
> >> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
> >> retries (currently set to 300) exhausted.  The amphora is unavailable.
> >> Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
> >> exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
> >> SSLError(SSLError("bad handshake: Error([('rsa routines',
> >> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> >> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> >> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> >> 'tls_process_server_certificate', 'certificate verify
> >> failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
> >> port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
> >> (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
> >> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> >> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> >> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> >> 'tls_process_server_certificate', 'certificate verify
> >> failed')],)",),))
> >>
> >> On the amphora side I see:
> >> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
> >> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
> >> ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
> >> failure (_ssl.c:1754)
> >>
> >> I've generated certificates both with the script in the Octavia git
> >> repo, and with the Openstack Ansible playbook. I can see that they are
> >> present in /etc/octavia/certs.
> >>
> >> I'm using the Kolla (Queens) containers for the control plane so I'm
> >> sure I've satisfied all the python library constraints.
> >>
> >> Issue 2:
> >> I"m not sure how it gets configured, but the tenant network interface
> >> (ens6) never comes up. I can spawn other instances on that network
> >> with no issue, and I can see that Neutron has the port attached to the
> >> instance. However, in the instance this is all I get:
> >>
> >> ubuntu at amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
> >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> >> group default qlen 1
> >>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >>     inet 127.0.0.1/8 scope host lo
> >>        valid_lft forever preferred_lft forever
> >>     inet6 ::1/128 scope host
> >>        valid_lft forever preferred_lft forever
> >> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
> >> state UP group default qlen 1000
> >>     link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
> >>     inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
> >>        valid_lft forever preferred_lft forever
> >>     inet6 fe80::f816:3eff:fe30:c460/64 scope link
> >>        valid_lft forever preferred_lft forever
> >> 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> >> default qlen 1000
> >>     link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
> >>
> >> There's no evidence of the interface anywhere else including udev rules.
> >>
> >> Any help with either or both issues would be greatly appreciated.
> >>
> >> Cheers,
> >> Erik
> >>
> >> _______________________________________________
> >> OpenStack-operators mailing list
> >> OpenStack-operators at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >>
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> > <
> http://lists.openstack.org/pipermail/openstack-operators/attachments/20181020/71c8e27a/attachment.html
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181020_71c8e27a_attachment.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=TZjVFI4W3tEBE7QxcsUIhZ92OpBCz-jlpvaQ856vmEw&e=
> >>
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > <
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
> >
> >
> > ------------------------------
> >
> > End of OpenStack-operators Digest, Vol 96, Issue 7
> > **************************************************
> >
> >
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
> >
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181024/737b1e57/attachment-0001.html>


More information about the OpenStack-operators mailing list