Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants

[iain MacDonnell]

I suspect that your non-admin user is not really non-admin. How did you 
create it?

What you have for "context_is_admin" in glance's policy.json ?

    ~iain


On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS 
INTEGRA, INC.] wrote:
I have replicated this unexpected behavior in a Pike test environment, in 
addition to our Queens environment.



Mike Moore, M.S.S.E.
  
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
  
Hydrogen fusion brightens my day.
  

On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" 
<michael.d.mo...@nasa.gov> wrote:

     Yes. I verified it by creating a non-admin user in a different tenant. I 
created a new image, set to private with the project defined as our admin 
tenant.
     
     In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
     
     Mike Moore, M.S.S.E.
      
     Systems Engineer, Goddard Private Cloud
     michael.d.mo...@nasa.gov
      
     Hydrogen fusion brightens my day.
      
     
     On 10/18/18, 1:07 AM, "iain MacDonnell" <iain.macdonn...@oracle.com> wrote:
     
         
         
         On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
         INTEGRA, INC.] wrote:
         > I’m seeing unexpected behavior in our Queens environment related to
         > Glance image visibility. Specifically users who, based on my
         > understanding of the visibility and ownership fields, should NOT be 
able
         > to see or view the image.
         >
         > If I create a new image with openstack image create and specify 
–project
         > <tenant> and –private a non-admin user in a different tenant can see 
and
         > boot that image.
         >
         > That seems to be the opposite of what should happen. Any ideas?
         
         Yep, something's not right there.
         
         Are you sure that the user that can see the image doesn't have the admin
         role (for the project in its keystone token) ?
         
         Did you verify that the image's owner is what you intended, and that the
         visibility really is "private" ?
         
              ~iain
         
         _______________________________________________
         OpenStack-operators mailing list
         OpenStack-operators@lists.openstack.org
         
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
         
     
     _______________________________________________
     OpenStack-operators mailing list
     OpenStack-operators@lists.openstack.org
     
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
     


_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators