Re: [openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

2014-10-31 Thread Flavio Percoco

On 31/10/14 04:57 +, Nikhil Komawar wrote:

Hi Jay,

Wanted to clarify a few things around this:

1. are you using --is_public or --is-public option?
2. are you using stable/juno branch or it is a rc(1/2/3) from ubuntu packages?

After trying out:

glance image-create --is-public=True --disk-format qcow2 --container-format 
bare --name foobar --name foobar --file 
/opt/stack/data/glance/images/5be32fc4-e063-4032-b248-516c7ab7116b

the command seems to be working on the latest devstack setup with the branch 
stable/juno used for glance.


Did you test this with an admin user?


The policy file in your paste looks fine too.

As nothing out of the ordinary seems to be wrong, hope this intuitive 
suggestion helps: the filesystem store config may be mismatched (possibly there 
are 2 options).



I haven't had the chance to test this but my guess is that Jay's issue
may be caused by an upgrade from Icehouse - Juno.

I'll hopefully be able to give this a try today.
Fla.



Thanks,
-Nikhil


From: Tom Fifield [t...@openstack.org]
Sent: Monday, October 27, 2014 9:26 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [glance] Permissions differences for glance 
image-create between Icehouse and Juno

Sorry, early morning!

I can confirm that in your policy.json there is:

   publicize_image: role:admin,

which seems to match what's needed :)

Regards,


Tom

On 28/10/14 10:18, Jay Pipes wrote:

Right, but as you can read below, I'm using an admin to do the operation...

Which is why I'm curious what exactly I'm supposed to do :)

-jay

On 10/27/2014 09:04 PM, Tom Fifield wrote:

This was covered in the release notes for glance, under Upgrade notes:

https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3

* The ability to upload a public image is now admin-only by default. To
continue to use the previous behaviour, edit the publicize_image flag in
etc/policy.json to remove the role restriction.

Regards,


Tom

On 28/10/14 01:22, Jay Pipes wrote:

Hello Glancers,

Peter and I are having issues working with a Juno Glance endpoint.
Specifically, a glance image-create ... --is_public=True CLI command
that *was* working in our Icehouse cloud is now failing in our Juno
cloud with a 403 Forbidden.

The specific command in question is:

glance image-create --name cirros-0.3.2-x86_64 --file
/var/tmp/cirros-0.3.2-x86_64-disk.img --disk-format qcow2
--container-format bare --is_public=True

If we take off the is_public=True, everything works just fine. We are
executing the above command as a user with a user called admin having
the role admin in a project called admin.

We have enabled debug=True conf option in both glance-api.conf and
glance-registry.conf, and unfortunately, there is no log output at all,
other than spitting out the configuration option settings on daemon
startup and a few messages like Loaded policy rules: ... which don't
actually provide any useful information about policy *decisions* that
are made... :(

Any help is most appreciated. Our policy.json file is the stock one that
comes in the Ubuntu Cloud Archive glance packages, i.e.:

http://paste.openstack.org/show/125420/

Best,
-jay

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


--
@flaper87
Flavio Percoco


pgpfEdNA4EhNh.pgp
Description: PGP signature
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

2014-10-31 Thread Nikhil Komawar
 Did you test this with an admin user?
Yes, did test it with an admin user.

 may be caused by an upgrade from Icehouse - Juno.
Possibly, good point.

Thanks,
-Nikhil


From: Flavio Percoco [fla...@redhat.com]
Sent: Friday, October 31, 2014 4:03 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [glance] Permissions differences for glance 
image-create between Icehouse and Juno

On 31/10/14 04:57 +, Nikhil Komawar wrote:
Hi Jay,

Wanted to clarify a few things around this:

1. are you using --is_public or --is-public option?
2. are you using stable/juno branch or it is a rc(1/2/3) from ubuntu packages?

After trying out:

glance image-create --is-public=True --disk-format qcow2 --container-format 
bare --name foobar --name foobar --file 
/opt/stack/data/glance/images/5be32fc4-e063-4032-b248-516c7ab7116b

the command seems to be working on the latest devstack setup with the branch 
stable/juno used for glance.

Did you test this with an admin user?

The policy file in your paste looks fine too.

As nothing out of the ordinary seems to be wrong, hope this intuitive 
suggestion helps: the filesystem store config may be mismatched (possibly 
there are 2 options).


I haven't had the chance to test this but my guess is that Jay's issue
may be caused by an upgrade from Icehouse - Juno.

I'll hopefully be able to give this a try today.
Fla.


Thanks,
-Nikhil


From: Tom Fifield [t...@openstack.org]
Sent: Monday, October 27, 2014 9:26 PM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [glance] Permissions differences for glance 
image-create between Icehouse and Juno

Sorry, early morning!

I can confirm that in your policy.json there is:

publicize_image: role:admin,

which seems to match what's needed :)

Regards,


Tom

On 28/10/14 10:18, Jay Pipes wrote:
 Right, but as you can read below, I'm using an admin to do the operation...

 Which is why I'm curious what exactly I'm supposed to do :)

 -jay

 On 10/27/2014 09:04 PM, Tom Fifield wrote:
 This was covered in the release notes for glance, under Upgrade notes:

 https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3

 * The ability to upload a public image is now admin-only by default. To
 continue to use the previous behaviour, edit the publicize_image flag in
 etc/policy.json to remove the role restriction.

 Regards,


 Tom

 On 28/10/14 01:22, Jay Pipes wrote:
 Hello Glancers,

 Peter and I are having issues working with a Juno Glance endpoint.
 Specifically, a glance image-create ... --is_public=True CLI command
 that *was* working in our Icehouse cloud is now failing in our Juno
 cloud with a 403 Forbidden.

 The specific command in question is:

 glance image-create --name cirros-0.3.2-x86_64 --file
 /var/tmp/cirros-0.3.2-x86_64-disk.img --disk-format qcow2
 --container-format bare --is_public=True

 If we take off the is_public=True, everything works just fine. We are
 executing the above command as a user with a user called admin having
 the role admin in a project called admin.

 We have enabled debug=True conf option in both glance-api.conf and
 glance-registry.conf, and unfortunately, there is no log output at all,
 other than spitting out the configuration option settings on daemon
 startup and a few messages like Loaded policy rules: ... which don't
 actually provide any useful information about policy *decisions* that
 are made... :(

 Any help is most appreciated. Our policy.json file is the stock one that
 comes in the Ubuntu Cloud Archive glance packages, i.e.:

 http://paste.openstack.org/show/125420/

 Best,
 -jay

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
@flaper87
Flavio Percoco

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

2014-10-27 Thread Tom Fifield
This was covered in the release notes for glance, under Upgrade notes:

https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3

* The ability to upload a public image is now admin-only by default. To
continue to use the previous behaviour, edit the publicize_image flag in
etc/policy.json to remove the role restriction.

Regards,


Tom

On 28/10/14 01:22, Jay Pipes wrote:
 Hello Glancers,
 
 Peter and I are having issues working with a Juno Glance endpoint.
 Specifically, a glance image-create ... --is_public=True CLI command
 that *was* working in our Icehouse cloud is now failing in our Juno
 cloud with a 403 Forbidden.
 
 The specific command in question is:
 
 glance image-create --name cirros-0.3.2-x86_64 --file
 /var/tmp/cirros-0.3.2-x86_64-disk.img --disk-format qcow2
 --container-format bare --is_public=True
 
 If we take off the is_public=True, everything works just fine. We are
 executing the above command as a user with a user called admin having
 the role admin in a project called admin.
 
 We have enabled debug=True conf option in both glance-api.conf and
 glance-registry.conf, and unfortunately, there is no log output at all,
 other than spitting out the configuration option settings on daemon
 startup and a few messages like Loaded policy rules: ... which don't
 actually provide any useful information about policy *decisions* that
 are made... :(
 
 Any help is most appreciated. Our policy.json file is the stock one that
 comes in the Ubuntu Cloud Archive glance packages, i.e.:
 
 http://paste.openstack.org/show/125420/
 
 Best,
 -jay
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

2014-10-27 Thread Jay Pipes

Right, but as you can read below, I'm using an admin to do the operation...

Which is why I'm curious what exactly I'm supposed to do :)

-jay

On 10/27/2014 09:04 PM, Tom Fifield wrote:

This was covered in the release notes for glance, under Upgrade notes:

https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3

* The ability to upload a public image is now admin-only by default. To
continue to use the previous behaviour, edit the publicize_image flag in
etc/policy.json to remove the role restriction.

Regards,


Tom

On 28/10/14 01:22, Jay Pipes wrote:

Hello Glancers,

Peter and I are having issues working with a Juno Glance endpoint.
Specifically, a glance image-create ... --is_public=True CLI command
that *was* working in our Icehouse cloud is now failing in our Juno
cloud with a 403 Forbidden.

The specific command in question is:

glance image-create --name cirros-0.3.2-x86_64 --file
/var/tmp/cirros-0.3.2-x86_64-disk.img --disk-format qcow2
--container-format bare --is_public=True

If we take off the is_public=True, everything works just fine. We are
executing the above command as a user with a user called admin having
the role admin in a project called admin.

We have enabled debug=True conf option in both glance-api.conf and
glance-registry.conf, and unfortunately, there is no log output at all,
other than spitting out the configuration option settings on daemon
startup and a few messages like Loaded policy rules: ... which don't
actually provide any useful information about policy *decisions* that
are made... :(

Any help is most appreciated. Our policy.json file is the stock one that
comes in the Ubuntu Cloud Archive glance packages, i.e.:

http://paste.openstack.org/show/125420/

Best,
-jay

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [glance] Permissions differences for glance image-create between Icehouse and Juno

2014-10-27 Thread Tom Fifield
Sorry, early morning!

I can confirm that in your policy.json there is:

publicize_image: role:admin,

which seems to match what's needed :)

Regards,


Tom

On 28/10/14 10:18, Jay Pipes wrote:
 Right, but as you can read below, I'm using an admin to do the operation...
 
 Which is why I'm curious what exactly I'm supposed to do :)
 
 -jay
 
 On 10/27/2014 09:04 PM, Tom Fifield wrote:
 This was covered in the release notes for glance, under Upgrade notes:

 https://wiki.openstack.org/wiki/ReleaseNotes/Juno#Upgrade_Notes_3

 * The ability to upload a public image is now admin-only by default. To
 continue to use the previous behaviour, edit the publicize_image flag in
 etc/policy.json to remove the role restriction.

 Regards,


 Tom

 On 28/10/14 01:22, Jay Pipes wrote:
 Hello Glancers,

 Peter and I are having issues working with a Juno Glance endpoint.
 Specifically, a glance image-create ... --is_public=True CLI command
 that *was* working in our Icehouse cloud is now failing in our Juno
 cloud with a 403 Forbidden.

 The specific command in question is:

 glance image-create --name cirros-0.3.2-x86_64 --file
 /var/tmp/cirros-0.3.2-x86_64-disk.img --disk-format qcow2
 --container-format bare --is_public=True

 If we take off the is_public=True, everything works just fine. We are
 executing the above command as a user with a user called admin having
 the role admin in a project called admin.

 We have enabled debug=True conf option in both glance-api.conf and
 glance-registry.conf, and unfortunately, there is no log output at all,
 other than spitting out the configuration option settings on daemon
 startup and a few messages like Loaded policy rules: ... which don't
 actually provide any useful information about policy *decisions* that
 are made... :(

 Any help is most appreciated. Our policy.json file is the stock one that
 comes in the Ubuntu Cloud Archive glance packages, i.e.:

 http://paste.openstack.org/show/125420/

 Best,
 -jay

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev