[Openstack] Private images are not displayed in Horizon

Joe Topjian joe at topjian.net
Tue Jan 21 10:10:11 UTC 2014


Hi Tom,

Thanks for the note. The contents of my policy.json file were already the
same as what the commit suggests:

https://review.openstack.org/#/c/28048/3/etc/policy.json

It looks like the default policy.json file that comes with the Ubuntu
Havana Glance package does not need modified. Upgrading to Havana might
require that line to be added, though, and the Havana release notes
correctly reflect that.

However, given all of that, this does not seem to resolve the issue.

Are there other policy modifications that need made? Or any other role
modifications in general?

Thanks,
Joe


On Tue, Jan 21, 2014 at 10:39 AM, Hancock, Tom (HP Cloud Services) <
Tom.Hancock at hp.com> wrote:

>  We fell over something like this previously. Upon investigation it
> turned out to
>
> be due to not setting a ‘context_is_admin’ rule in /etc/glance/policy.json.
>
> Check change id Ide2cf604b48f24bd759ce2d65091ff546cd9d22e
>
> for why this is now necessary in Havana.
>
>
>
> I hope this helps,
>
> Tom
>
>
>
> ---
>
> Tomas Hancock, HP Converged Cloud, Hewlett Packard, Galway. Ireland
> +353-91-754765
>
> Postal Address   : Hewlett Packard Galway Limited, European Software
> Centre, Ballybrit Business Park, Galway, Ireland
> Registered Office: Hewlett Packard Galway Limited, 63-74 Sir John
> Rogerson's Quay, Dublin 2 Registered Number: 361933
>
> The contents of this message and any attachments to it are confidential
> and may be legally privileged. If you have received this message in error
> you should delete it from your system immediately and advise the sender. To
> any recipient of this message within HP, unless otherwise stated, you
> should consider this message and attachments as "HP CONFIDENTIAL".
>
>
>
> *From:* Joe Topjian [mailto:joe at topjian.net]
> *Sent:* 21 January 2014 07:11
> *To:* Scott Devoid
> *Cc:* openstack at lists.openstack.org Openstack
>
> *Subject:* Re: [Openstack] Private images are not displayed in Horizon
>
>
>
> I agree that this is a big deal. I also agree that I don't want to deploy
> Havana until this is resolved.
>
>
>
> Worst case scenario: User 1 creates an instance that contains sensitive
> information then creates a snapshot for backup purposes. User 2 sees User
> 1's snapshot and launches it.
>
>
>
> Can any of the Glance devs chime in on this? Can you confirm reproduction
> of the issue we have described and explain what's going on here?
>
>
>
> On Tue, Jan 21, 2014 at 12:04 AM, Scott Devoid <devoid at anl.gov> wrote:
>
> Yup, this is a big deal for us. I can't realistically deploy Havana to my
> users until this is resolved.
>
>
>
> Note that my bug reports also cover a number of other undesirable
> behaviors on the part of glance(-client).
>
>
>
> - No checking of the "owner" field against keystone.
>
> - Listing images does not query for "owner" tenant or username field at
> the SQL level.
>
> - By default images are not given an "owner" with "glance image-create".
>
>
>
> Presumably there is something wrong with my configuration, but I've
> followed the Ubuntu installation guide. [1]
>
>
>
> Any help would be appreciated. Otherwise I'll probably disable public
> access to glance. :(
>
>
>
> ~ Scott
>
>
>
> [1] http://docs.openstack.org/havana/install-guide/install/apt/content/
>
>
>
> On Mon, Jan 20, 2014 at 1:22 PM, Joe Topjian <joe at topjian.net> wrote:
>
> I'm running into a similar issue.
>
>
>
> In a fresh Ubuntu 12.04 Havana environment, do the following, either as an
> admin user or regular user:
>
>
>
> glance image-create --name "CirrOS 1" --disk-format qcow2
> --container-format bare --is-public true < cirros-0.3.1-x86_64-disk.img
>
> glance image-list
>
> glance image-create --name "CirrOS 2" --disk-format qcow2
> --container-format bare --is-public false < cirros-0.3.1-x86_64-disk.img
>
> glance image-list
>
>
>
> Prior to Havana, the second image-list would display two images: CirrOS 1
> and CirrOS 2. Now only the public image is being displayed.
>
>
>
> Additionally, Horizon is only showing one image under Public and no images
> under "Project".
>
>
>
> Someone opened a bug report about this here (
> https://bugs.launchpad.net/glance/+bug/1245865) but it was closed. I
> think it should be re-opened.
>
>
>
> This next part probably isn't very good:
>
>
>
> glance image-list --is-public=False
>
>
>
> This will display CirrOS 2. But switch to another user in another tenant
> and run the command again. CirrOS 2 is still shown. Create a third user in
> a third tenant, upload CirrOS 3 as private, switch back to user 2, and run
> the command again. Both private images are shown.
>
>
>
> This is the behavior that Scott is describing in this bug report:
>
>
>
> https://bugs.launchpad.net/glance/+bug/1258342
>
>
>
> So either this is a serious bug in Glance or the way to store and hide
> images in Glance has changed -- but I have found no documentation
> supporting that.
>
>
>
> Joe
>
>
>
> On Mon, Jan 20, 2014 at 4:46 PM, Narayanan, Krishnaprasad <
> narayana at uni-mainz.de> wrote:
>
> Hallo all,
>
> Thanks for your response about the problem "Private images aren't
> displayed in Horizon".
>
> Can I know does this bug exist and if not, can I know the procedure for
> raising it as a bug?
>
> Best regards,
> Krishnaprasad
>
> -----Original Message-----
> From: Jay Pipes [mailto:jaypipes at gmail.com]
> Sent: Donnerstag, 16. Januar 2014 16:30
> To: Narayanan, Krishnaprasad
> Cc: Li Ma; openstack at lists.openstack.org
> Subject: Re: [Openstack] Private images are not displayed in Horizon
>
> On Thu, 2014-01-16 at 13:59 +0000, Narayanan, Krishnaprasad wrote:
> > Hi,
> >
> > The problem that I am facing is as the user who uploaded the image, I am
> unable to see it in the users account.
>
> If this is indeed the case, then that is a bug.
>
> However... make really sure that you are indeed logged in as the tenant
> that added the image. If you are using something like nova image-list to
> see your images, ensure that you are not using a cached tenant token by
> issuing the nova image-list commands with the --no-cache CLI option.
>
> To set the image as a public image, as an admin, issue the following
> command with the glance CLI tool:
>
> glance image-update --is-public=True <IMAGE_UUID>
>
> Best,
> -jay
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140121/9570e64f/attachment.html>


More information about the Openstack mailing list