Re: [Openstack-operators] [SOLVED] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
TL;DR: glance config doesn’t honor documented default setting for
paste_deploy.flavor. Solution is to add setting to glance-api.conf. Patch to be
submitted.
After the deep debugging yesterday Jonathan did a deep compare of our Mitaka
configuration compared to Queens.
He noted that this section was missing in our Queens glance-api.conf (our
config files are sparse and only specify values if the defaults are not correct
for us)
[paste_deploy]
flavor = keystone
Adding that allowed Jonathan to set an image to public (publicize_image). It
also made openstack image list (get_images) behave as expected
[root@vm013 common]# . /root/keystonerc_jonathan
[root@vm013 common]# openstack image list
+--+++
| ID | Name | Status |
+--+++
| 34a915b8-cca6-45c3-9348-5e15dace444f | cirros | active |
+--+++
The Glance Queens configuration guide for glance_api states that the default
paste_deploy.flavor setting is ‘keystone’
Refer to https://docs.openstack.org/glance/queens/configuration/glance_api.html
It’s readily apparent that without the setting in glance-api.conf that it does
not behave properly which suggests it does not actually set keystone as the
default
Glance common/config.py does not specify a default value for this setting, but
it does specify a sample_default.
https://github.com/openstack/glance/blob/master/glance/common/config.py
lines 31-52
paste_deploy_opts = [
cfg.StrOpt('flavor',
sample_default='keystone',
help=_("""
Deployment flavor to use in the server application pipeline.
Provide a string value representing the appropriate deployment
flavor used in the server application pipleline. This is typically
the partial name of a pipeline in the paste configuration file with
the service name removed.
For example, if your paste section name in the paste configuration
file is [pipeline:glance-api-keystone], set ``flavor`` to
``keystone``.
Possible values:
* String value representing a partial pipeline name.
Related Options:
* config_file
""")),
Modifying the code like so:
sample_default='keystone',
default=’keystone’,
help=_("""
Makes it honor the documented default value.
I’ve submitted this as a patch on the bug report and a pull request on github.
https://github.com/openstack/glance/pull/9
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov<mailto:michael.d.mo...@nasa.gov>
Hydrogen fusion brightens my day.
From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
Date: Thursday, October 25, 2018 at 6:48 PM
To: Jonathan Mills , "iain.macdonn...@oracle.com"
Cc: "openstack-oper." , "Thompson,
John H. (GSFC-606.2)[InuTeq, LLC]"
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin
users can see private images from other tenants
I have dug deep into the code for glance, shoving debug outputs to see what I
can find in our queens environment.
Here is my debug code (I have a lot more but this is the salient part)
LOG.debug("in enforce(), action='%s', policyvalues='%s'", action,
context.to_policy_values())
return super(Enforcer, self).enforce(action, target,
context.to_policy_values(),
do_raise=True,
exc=exception.Forbidden,
action=action)
below is the output attempting to set an image that I own while being an admin
to public via `openstack image set –public cirros`
2018-10-25 18:29:16.575 17561 DEBUG glance.api.policy
[req-e343bb10-8ec8-40df-8c0c-47d1b217ca0d - - - - -] in enforce(),
action='publicize_image', policyvalues='{'service_roles': [], 'user_id': None,
'roles': [], 'user_domain_id': None, 'service_project_id': None,
'service_user_id': None, 'service_user_domain_id': None,
'service_project_domain_id': None, 'is_admin_project': True, 'user': None,
'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce
/usr/lib/python2.7/site-packages/glance/api/policy.py:64
And here is what shows up when I `openstack image list` as our test user
(`jonathan`) that is NOT an admin
2018-10-25 18:32:24.841 17564 DEBUG glance.api.policy
[req-22abdcf2-14cd-4680-8deb-e48902a7ddef - - - - -] in enforce(),
action='get_images', policyvalues='{'service_roles': [], 'user_id': None,
'roles': [], 'user_domain_id': None, 'service_project_id': None,
'service_user_id': None, 'service_user_domain_id': None,
'service_project_domain_id': None, 'is_admin_project': True, 'user': None,
'project_id
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
I have dug deep into the code for glance, shoving debug outputs to see what I
can find in our queens environment.
Here is my debug code (I have a lot more but this is the salient part)
LOG.debug("in enforce(), action='%s', policyvalues='%s'", action,
context.to_policy_values())
return super(Enforcer, self).enforce(action, target,
context.to_policy_values(),
do_raise=True,
exc=exception.Forbidden,
action=action)
below is the output attempting to set an image that I own while being an admin
to public via `openstack image set –public cirros`
2018-10-25 18:29:16.575 17561 DEBUG glance.api.policy
[req-e343bb10-8ec8-40df-8c0c-47d1b217ca0d - - - - -] in enforce(),
action='publicize_image', policyvalues='{'service_roles': [], 'user_id': None,
'roles': [], 'user_domain_id': None, 'service_project_id': None,
'service_user_id': None, 'service_user_domain_id': None,
'service_project_domain_id': None, 'is_admin_project': True, 'user': None,
'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce
/usr/lib/python2.7/site-packages/glance/api/policy.py:64
And here is what shows up when I `openstack image list` as our test user
(`jonathan`) that is NOT an admin
2018-10-25 18:32:24.841 17564 DEBUG glance.api.policy
[req-22abdcf2-14cd-4680-8deb-e48902a7ddef - - - - -] in enforce(),
action='get_images', policyvalues='{'service_roles': [], 'user_id': None,
'roles': [], 'user_domain_id': None, 'service_project_id': None,
'service_user_id': None, 'service_user_domain_id': None,
'service_project_domain_id': None, 'is_admin_project': True, 'user': None,
'project_id': None, 'tenant': None, 'project_domain_id': None}' enforce
/usr/lib/python2.7/site-packages/glance/api/policy.py:64
The takeaway that I have is that in the case of get_images, is_admin_project is
True, which is WRONG for that test but since it’s a read-only operation it’s
content to shortcircuit and return all those images.
In the case of publicize_image, the is_admin_project being True isn’t enough,
and when it checks user (which is None) it says NOPE.
So somehow for some reason glance APIs context is super duper wrong.
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
For reference, here is our full glance policy.json
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"communitize_image": "",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "",
"get_tasks": "",
"add_task": "",
"modify_task": "",
"tasks_api_access": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
INC.]" wrote:
Our NDC domain is LDAP backed. Default is not.
Our keystone policy.json file is empty {}
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
On 10/18/18, 7:24 PM, "Chris Apsey" wrote:
We are using multiple keystone domains - still can't reproduce this.
Do you happen to have a customized keystone policy.json?
Worst case, I would launch a devstack of your targeted release. If you
can't reproduce the issue there, you would at least know its caused by
a
nonstandard config rather than a bug (or at least not a bug that's
present
when using a default config)
On October 18, 2018 18:50:12 iain MacDonnell
wrote:
> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line
in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a
factor...
>
> ~iain
>
>
> $ openstack user create --password foo user1
> +-+--+
> | Field | Value|
> +-+--+
> | domain_id | default |
> | enabled | True |
> | id | d18c0031ec56430499a2d690cb1f125c |
> | name| user1|
> | options | {} |
> | password_expires_at | None |
> +-+--+
> $ openstack user create --password foo user2
> +-+--+
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
> +--+++
> $ openstack image create --private image1
>
+--+--+
> | Field| Value
> |
>
+--+--+
> | checksum | None
> |
> | container_format | bare
> |
> | created_at | 2018-10-18T22:17:41Z
> |
> | disk_format | raw
> |
> | file |
> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
> |
> | id | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> |
> | min_disk | 0
> |
> | min_ram | 0
> |
> | name | image1
> |
> | owner| 826876d6d3724018bae6253c7f540cb3
> |
> | properties | locations='[]', os_hash_algo='None',
> os_hash_value='None', os_hidden='False' |
> | protected| False
> |
> | schema | /v2/schemas/image
> |
> | size | None
> |
> | status | queued
> |
> | tags |
> |
> | updated_at | 2018-10-18T22:17:41Z
> |
> | virtual_size | None
> |
> | visibility | private
> |
>
+--+--+
> $ openstack image list
> +--+++
> | ID | Name | Status |
> +--+++
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--+++
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ openstack image list
> +--+++
> | ID | Name | Status |
> +--+++
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--+++
> $ export OS_USERNAME=admin
> $ export OS_PROJECT_NAME=admin
> $ export OS_PASSWORD=xxx
> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ export OS_PASSWORD=foo
> $ openstack image list
> +--------------+++
> | ID | Name | Status |
> +--+++
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--+++
> $
>
>
> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> openstack user create --domain default --password
--project-domain
>> ndc --project test mike
>>
>>
>> openstack role add --user mike --user-domain default --project test user
>>
>> my admin account is in the NDC domain with a different username.
>>
>>
>>
>> /etc/glance/policy.json
>> {
>>
>> "context_is_admin": "role:admin",
>> "default": "role:admin",
>>
>>
>>
>>
>> I'm not terribly familiar with the policies but I feel like that default
>> line is making everyone an admin by default?
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> michael.d.mo...@nasa.gov
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 6:25 PM, "iain MacDonnell"
wrote:
>>
>>
>> I suspect that your non-admin user is not really non-admin. How did you
>> create it?
>>
>> What you have for "context_is_admin" in glance's policy.json ?
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
openstack user create --domain default --password --project-domain ndc
--project test mike
openstack role add --user mike --user-domain default --project test user
my admin account is in the NDC domain with a different username.
/etc/glance/policy.json
{
"context_is_admin": "role:admin",
"default": "role:admin",
I'm not terribly familiar with the policies but I feel like that default line
is making everyone an admin by default?
Mike Moore, M.S.S.E.
Systems Engineer, Goddard Private Cloud
michael.d.mo...@nasa.gov
Hydrogen fusion brightens my day.
On 10/18/18, 6:25 PM, "iain MacDonnell" wrote:
I suspect that your non-admin user is not really non-admin. How did you
create it?
What you have for "context_is_admin" in glance's policy.json ?
~iain
On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:
> I have replicated this unexpected behavior in a Pike test environment, in
addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> michael.d.mo...@nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
INC.]" wrote:
>
> Yes. I verified it by creating a non-admin user in a different
tenant. I created a new image, set to private with the project defined as our
admin tenant.
>
> In the database I can see that the image is 'private' and the owner
is the ID of the admin tenant.
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> michael.d.mo...@nasa.gov
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 1:07 AM, "iain MacDonnell"
wrote:
>
>
>
> On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
> > I’m seeing unexpected behavior in our Queens environment
related to
> > Glance image visibility. Specifically users who, based on my
> > understanding of the visibility and ownership fields, should
NOT be able
> > to see or view the image.
> >
> > If I create a new image with openstack image create and
specify –project
> > and –private a non-admin user in a different tenant
can see and
> > boot that image.
> >
> > That seems to be the opposite of what should happen. Any ideas?
>
> Yep, something's not right there.
>
> Are you sure that the user that can see the image doesn't have
the admin
> role (for the project in its keystone token) ?
>
> Did you verify that the image's owner is what you intended, and
that the
> visibility really is "private" ?
>
> ~iain
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators=DwIGaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE=
>
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators=DwIGaQ=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE=
>
>
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Glance Image Visibility Issue? - Non admin users can see private images from other tenants
I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" wrote: Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant. In the database I can see that the image is 'private' and the owner is the ID of the admin tenant. Mike Moore, M.S.S.E. Systems Engineer, Goddard Private Cloud michael.d.mo...@nasa.gov Hydrogen fusion brightens my day. On 10/18/18, 1:07 AM, "iain MacDonnell" wrote: On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.] wrote: > I’m seeing unexpected behavior in our Queens environment related to > Glance image visibility. Specifically users who, based on my > understanding of the visibility and ownership fields, should NOT be able > to see or view the image. > > If I create a new image with openstack image create and specify –project > and –private a non-admin user in a different tenant can see and > boot that image. > > That seems to be the opposite of what should happen. Any ideas? Yep, something's not right there. Are you sure that the user that can see the image doesn't have the admin role (for the project in its keystone token) ? Did you verify that the image's owner is what you intended, and that the visibility really is "private" ? ~iain ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
