[Openstack] Private images are not displayed in Horizon

Joe Topjian joe at topjian.net
Tue Jan 21 07:10:32 UTC 2014


I agree that this is a big deal. I also agree that I don't want to deploy
Havana until this is resolved.

Worst case scenario: User 1 creates an instance that contains sensitive
information then creates a snapshot for backup purposes. User 2 sees User
1's snapshot and launches it.

Can any of the Glance devs chime in on this? Can you confirm reproduction
of the issue we have described and explain what's going on here?


On Tue, Jan 21, 2014 at 12:04 AM, Scott Devoid <devoid at anl.gov> wrote:

> Yup, this is a big deal for us. I can't realistically deploy Havana to my
> users until this is resolved.
>
> Note that my bug reports also cover a number of other undesirable
> behaviors on the part of glance(-client).
>
> - No checking of the "owner" field against keystone.
> - Listing images does not query for "owner" tenant or username field at
> the SQL level.
> - By default images are not given an "owner" with "glance image-create".
>
> Presumably there is something wrong with my configuration, but I've
> followed the Ubuntu installation guide. [1]
>
> Any help would be appreciated. Otherwise I'll probably disable public
> access to glance. :(
>
> ~ Scott
>
> [1] http://docs.openstack.org/havana/install-guide/install/apt/content/
>
>
> On Mon, Jan 20, 2014 at 1:22 PM, Joe Topjian <joe at topjian.net> wrote:
>
>> I'm running into a similar issue.
>>
>> In a fresh Ubuntu 12.04 Havana environment, do the following, either as
>> an admin user or regular user:
>>
>> glance image-create --name "CirrOS 1" --disk-format qcow2
>> --container-format bare --is-public true < cirros-0.3.1-x86_64-disk.img
>> glance image-list
>> glance image-create --name "CirrOS 2" --disk-format qcow2
>> --container-format bare --is-public false < cirros-0.3.1-x86_64-disk.img
>> glance image-list
>>
>> Prior to Havana, the second image-list would display two images: CirrOS 1
>> and CirrOS 2. Now only the public image is being displayed.
>>
>> Additionally, Horizon is only showing one image under Public and no
>> images under "Project".
>>
>> Someone opened a bug report about this here (
>> https://bugs.launchpad.net/glance/+bug/1245865) but it was closed. I
>> think it should be re-opened.
>>
>> This next part probably isn't very good:
>>
>> glance image-list --is-public=False
>>
>> This will display CirrOS 2. But switch to another user in another tenant
>> and run the command again. CirrOS 2 is still shown. Create a third user in
>> a third tenant, upload CirrOS 3 as private, switch back to user 2, and run
>> the command again. Both private images are shown.
>>
>> This is the behavior that Scott is describing in this bug report:
>>
>> https://bugs.launchpad.net/glance/+bug/1258342
>>
>> So either this is a serious bug in Glance or the way to store and hide
>> images in Glance has changed -- but I have found no documentation
>> supporting that.
>>
>> Joe
>>
>>
>> On Mon, Jan 20, 2014 at 4:46 PM, Narayanan, Krishnaprasad <
>> narayana at uni-mainz.de> wrote:
>>
>>> Hallo all,
>>>
>>> Thanks for your response about the problem "Private images aren't
>>> displayed in Horizon".
>>>
>>> Can I know does this bug exist and if not, can I know the procedure for
>>> raising it as a bug?
>>>
>>> Best regards,
>>> Krishnaprasad
>>>
>>> -----Original Message-----
>>> From: Jay Pipes [mailto:jaypipes at gmail.com]
>>> Sent: Donnerstag, 16. Januar 2014 16:30
>>> To: Narayanan, Krishnaprasad
>>> Cc: Li Ma; openstack at lists.openstack.org
>>> Subject: Re: [Openstack] Private images are not displayed in Horizon
>>>
>>> On Thu, 2014-01-16 at 13:59 +0000, Narayanan, Krishnaprasad wrote:
>>> > Hi,
>>> >
>>> > The problem that I am facing is as the user who uploaded the image, I
>>> am unable to see it in the users account.
>>>
>>> If this is indeed the case, then that is a bug.
>>>
>>> However... make really sure that you are indeed logged in as the tenant
>>> that added the image. If you are using something like nova image-list to
>>> see your images, ensure that you are not using a cached tenant token by
>>> issuing the nova image-list commands with the --no-cache CLI option.
>>>
>>> To set the image as a public image, as an admin, issue the following
>>> command with the glance CLI tool:
>>>
>>> glance image-update --is-public=True <IMAGE_UUID>
>>>
>>> Best,
>>> -jay
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140121/469e938c/attachment.html>


More information about the Openstack mailing list