[Openstack] Private images are not displayed in Horizon

Hancock, Tom (HP Cloud Services) Tom.Hancock at hp.com
Tue Jan 21 09:39:38 UTC 2014


We fell over something like this previously. Upon investigation it turned out to
be due to not setting a 'context_is_admin' rule in /etc/glance/policy.json.
Check change id Ide2cf604b48f24bd759ce2d65091ff546cd9d22e
for why this is now necessary in Havana.

I hope this helps,
Tom

---

Tomas Hancock, HP Converged Cloud, Hewlett Packard, Galway. Ireland +353-91-754765

Postal Address   : Hewlett Packard Galway Limited, European Software Centre, Ballybrit Business Park, Galway, Ireland
Registered Office: Hewlett Packard Galway Limited, 63-74 Sir John Rogerson's Quay, Dublin 2 Registered Number: 361933

The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error you should delete it from your system immediately and advise the sender. To any recipient of this message within HP, unless otherwise stated, you should consider this message and attachments as "HP CONFIDENTIAL".

From: Joe Topjian [mailto:joe at topjian.net]
Sent: 21 January 2014 07:11
To: Scott Devoid
Cc: openstack at lists.openstack.org Openstack
Subject: Re: [Openstack] Private images are not displayed in Horizon

I agree that this is a big deal. I also agree that I don't want to deploy Havana until this is resolved.

Worst case scenario: User 1 creates an instance that contains sensitive information then creates a snapshot for backup purposes. User 2 sees User 1's snapshot and launches it.

Can any of the Glance devs chime in on this? Can you confirm reproduction of the issue we have described and explain what's going on here?

On Tue, Jan 21, 2014 at 12:04 AM, Scott Devoid <devoid at anl.gov<mailto:devoid at anl.gov>> wrote:
Yup, this is a big deal for us. I can't realistically deploy Havana to my users until this is resolved.

Note that my bug reports also cover a number of other undesirable behaviors on the part of glance(-client).

- No checking of the "owner" field against keystone.
- Listing images does not query for "owner" tenant or username field at the SQL level.
- By default images are not given an "owner" with "glance image-create".

Presumably there is something wrong with my configuration, but I've followed the Ubuntu installation guide. [1]

Any help would be appreciated. Otherwise I'll probably disable public access to glance. :(

~ Scott

[1] http://docs.openstack.org/havana/install-guide/install/apt/content/

On Mon, Jan 20, 2014 at 1:22 PM, Joe Topjian <joe at topjian.net<mailto:joe at topjian.net>> wrote:
I'm running into a similar issue.

In a fresh Ubuntu 12.04 Havana environment, do the following, either as an admin user or regular user:

glance image-create --name "CirrOS 1" --disk-format qcow2 --container-format bare --is-public true < cirros-0.3.1-x86_64-disk.img
glance image-list
glance image-create --name "CirrOS 2" --disk-format qcow2 --container-format bare --is-public false < cirros-0.3.1-x86_64-disk.img
glance image-list

Prior to Havana, the second image-list would display two images: CirrOS 1 and CirrOS 2. Now only the public image is being displayed.

Additionally, Horizon is only showing one image under Public and no images under "Project".

Someone opened a bug report about this here (https://bugs.launchpad.net/glance/+bug/1245865) but it was closed. I think it should be re-opened.

This next part probably isn't very good:

glance image-list --is-public=False

This will display CirrOS 2. But switch to another user in another tenant and run the command again. CirrOS 2 is still shown. Create a third user in a third tenant, upload CirrOS 3 as private, switch back to user 2, and run the command again. Both private images are shown.

This is the behavior that Scott is describing in this bug report:

https://bugs.launchpad.net/glance/+bug/1258342

So either this is a serious bug in Glance or the way to store and hide images in Glance has changed -- but I have found no documentation supporting that.

Joe

On Mon, Jan 20, 2014 at 4:46 PM, Narayanan, Krishnaprasad <narayana at uni-mainz.de<mailto:narayana at uni-mainz.de>> wrote:
Hallo all,

Thanks for your response about the problem "Private images aren't displayed in Horizon".

Can I know does this bug exist and if not, can I know the procedure for raising it as a bug?

Best regards,
Krishnaprasad

-----Original Message-----
From: Jay Pipes [mailto:jaypipes at gmail.com<mailto:jaypipes at gmail.com>]
Sent: Donnerstag, 16. Januar 2014 16:30
To: Narayanan, Krishnaprasad
Cc: Li Ma; openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Subject: Re: [Openstack] Private images are not displayed in Horizon

On Thu, 2014-01-16 at 13:59 +0000, Narayanan, Krishnaprasad wrote:
> Hi,
>
> The problem that I am facing is as the user who uploaded the image, I am unable to see it in the users account.

If this is indeed the case, then that is a bug.

However... make really sure that you are indeed logged in as the tenant that added the image. If you are using something like nova image-list to see your images, ensure that you are not using a cached tenant token by issuing the nova image-list commands with the --no-cache CLI option.

To set the image as a public image, as an admin, issue the following command with the glance CLI tool:

glance image-update --is-public=True <IMAGE_UUID>

Best,
-jay

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140121/d0b0e819/attachment.html>


More information about the Openstack mailing list