Bug 1012382

Summary: swift: Admin user does not have permissions to see containers created by glance service
Product: [Community] RDO Reporter: Dafna Ron <dron>
Component: openstack-packstackAssignee: Martin Magr <mmagr>
Status: CLOSED EOL QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: unspecified    
Version: KiloCC: aortega, chris.brown, derekh, dron, ichavero, oblaut, pportant, srevivo, zaitcev
Target Milestone: ---Keywords: Reopened, ZStream
Target Release: trunk   
Hardware: x86_64   
OS: Linux   
Whiteboard: storage
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-18 06:07:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 884748    
Bug Blocks:    

Description Dafna Ron 2013-09-26 11:34:57 UTC
Description of problem:

I configured swift to work as glance backend. 
after creating an image I wanted to make sure that the image was created on swift under glance container but in order to do that I need to log in with user glance. 

I think that if as admin user I can list the images from backend, than I should also be able to list the services containers. 

Version-Release number of selected component (if applicable):

[root@nott-vdsa ~(keystone_glance)]# rpm -qa |grep swift
openstack-swift-plugin-swift3-1.0.0-0.20120711git.1.el6ost.noarch
openstack-swift-proxy-1.8.0-6.el6ost.noarch
python-swiftclient-1.6.0-1.el6ost.noarch
openstack-swift-1.8.0-6.el6ost.noarch


How reproducible:

100%

Steps to Reproduce:
1. configure swift to be glance's backend and create an image
2. run glance image-list -> you can see the image
3. run swift list 
4. log in with user glance -> run swift list 

Actual results:

we can only see the glance container when we log in as glance service user

Expected results:

if user admin can list the images from the backend it should also be seeing the glance container and list its objects

Additional info:

user admin: 


[root@nott-vdsa ~(keystone_admin)]# glance image-list 
+--------------------------------------+--------+-------------+------------------+------------+--------+
| ID                                   | Name   | Disk Format | Container Format | Size       | Status |
+--------------------------------------+--------+-------------+------------------+------------+--------+
| 6f51ef8c-e540-43c3-9981-d64c01f1962c | bla    | qcow2       | bare             | 31357907   | active |
| ce811c65-c2f4-448e-8a1c-a6c3d104424d | rhel64 | qcow2       | bare             | 1974140928 | active |
| 74a6f42b-95b6-469c-a2b9-f76702fecdcb | test   | qcow2       | bare             | 31357907   | active |
+--------------------------------------+--------+-------------+------------------+------------+--------+
[root@nott-vdsa ~(keystone_admin)]# glance image-delete ce811c65-c2f4-448e-8a1c-a6c3d104424d
[root@nott-vdsa ~(keystone_admin)]# glance image-delete 74a6f42b-95b6-469c-a2b9-f76702fecdcb
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# glance image-list 
+--------------------------------------+------+-------------+------------------+----------+--------+
| ID                                   | Name | Disk Format | Container Format | Size     | Status |
+--------------------------------------+------+-------------+------------------+----------+--------+
| 6f51ef8c-e540-43c3-9981-d64c01f1962c | bla  | qcow2       | bare             | 31357907 | active |
+--------------------------------------+------+-------------+------------------+----------+--------+
[root@nott-vdsa ~(keystone_admin)]# swift list 
dafna
test

user glance: 

[root@nott-vdsa ~(keystone_glance)]# swift list 
glance
[root@nott-vdsa ~(keystone_glance)]# swift list glance 
6f51ef8c-e540-43c3-9981-d64c01f1962c

Comment 1 Dafna Ron 2013-09-26 11:35:20 UTC
https://bugs.launchpad.net/swift/+bug/1231396

Comment 2 Ayal Baron 2013-10-01 09:38:28 UTC
This is not a bug.
When we create an image, the 'container' in swift is an implementation detail.
The fact that you *can* configure the same user for both system doesn't mean anything

Comment 3 Ayal Baron 2013-10-01 09:42:48 UTC
Reopening after discussing with Dafna.
The problem iiuc is that 'admin' user does not have enough permissions to 'see' containers created by services (e.g. glance)

Comment 4 Alvaro Lopez Ortega 2013-11-15 12:21:56 UTC
*** Bug 1014735 has been marked as a duplicate of this bug. ***

Comment 5 Martin Magr 2014-10-17 09:04:28 UTC
Unfortunately, Swift seems to have problem with ACL. Even though I have set ACL for container glance for admin user, the cantainer is not visible.

I'm not sure 

[para@localhost ~(keystone_admin)]$ source keystonerc_glance
[para@localhost ~(keystone_glance)]$ swift list
glance
[para@localhost ~(keystone_glance)]$ swift stat glance
       Account: AUTH_83f6607d54844b08874184766148d375
     Container: glance
       Objects: 1
         Bytes: 13147648
      Read ACL:
     Write ACL:
       Sync To:
      Sync Key:
 Accept-Ranges: bytes
   X-Timestamp: 1413465069.26403
    X-Trans-Id: tx7d7bd62674d843f9b9ea0-005440cd76
  Content-Type: text/plain; charset=utf-8
[para@localhost ~(keystone_glance)]$ swift post glance -r admin:admin
[para@localhost ~(keystone_glance)]$ swift post glance -w admin:admin
[para@localhost ~(keystone_glance)]$ swift stat glance
       Account: AUTH_83f6607d54844b08874184766148d375
     Container: glance
       Objects: 1
         Bytes: 13147648
      Read ACL: admin:admin
     Write ACL: admin:admin
       Sync To:
      Sync Key:
 Accept-Ranges: bytes
   X-Timestamp: 1413465069.26403
    X-Trans-Id: txdad6dc7ac974427d8d9f6-005440d3cf
  Content-Type: text/plain; charset=utf-8
[para@localhost ~(keystone_glance)]$ source keystonerc_admin
[para@localhost ~(keystone_admin)]$ swift list
[para@localhost ~(keystone_admin)]$ swift stat glance
Container 'glance' not found

I tried to use also only 'admin' as ACL, but it didn't work too. Any thoughts Peter or Pete?

Comment 6 Pete Zaitcev 2014-10-17 20:07:30 UTC
The operations in comment #5 only work if glance and admin share
a tennant. Do they? You can verify it with stat -v.

Comment 7 Ivan Chavero 2015-08-27 05:43:43 UTC
can i have acks for this bug please?

Comment 10 Christopher Brown 2017-06-17 19:24:36 UTC
Hmmm, I think this can be safely closed now?