Bug 878229

Summary: glance member-add doesn't validate input
Product: Red Hat OpenStack Reporter: Dan Yocum <dyocum>
Component: openstack-glanceAssignee: Flavio Percoco <fpercoco>
Status: CLOSED NOTABUG QA Contact: Attila Fazekas <afazekas>
Severity: low Docs Contact:
Priority: low    
Version: 1.0 (Essex)CC: fpercoco, markmc
Target Milestone: beta   
Target Release: 3.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-06 16:12:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Yocum 2012-11-19 21:44:46 UTC 
Description of problem:
In ESSEX it is possible to enter invalid data in the glance database when adding members to images.

Version-Release number of selected component (if applicable):

Essex

How reproducible:

Every

Steps to Reproduce:
1.glance member-add foo

2.
3.
  
Actual results:

member-foo added to database even though neither project nor user 'foo' exists

Expected results:

member 'foo' not added to database

Additional info:

I've also opened this bug upstream: 
https://bugs.launchpad.net/keystone/+bug/1080864
Comment 2 Mark McLoughlin 2012-12-07 09:41:29 UTC 
Thanks Dan. This is good feedback and is being taken on-board upstream

I'd suggest closing this as UPSTREAM - this will be fixed in RHOS when we rebase to an upstream version which fixes it. We're unlikely to fix in RHOS before then, given that it's probably a fairly significant change.
Comment 5 Yaniv Kaul 2012-12-30 08:04:29 UTC 
For the record, still happens in Folsom (just that member-add was changed to member-create). One can add non-existent tenants to an image.
[root@ykaul-os-horizon ~(keystone_admin)]$ glance member-list --image-id a92439a6-5923-4ca8-98ae-ceabe3c164f6
+--------------------------------------+----------------------------------+-----------+
| Image ID                             | Member ID                        | Can Share |
+--------------------------------------+----------------------------------+-----------+
| a92439a6-5923-4ca8-98ae-ceabe3c164f6 | 32af8050fbc247fd9ab9b0dc67237fcc | True      |
+--------------------------------------+----------------------------------+-----------+

Now adding with a non-existent ID (similar to above, only with '1' at the end of the ID):

[root@ykaul-os-horizon ~(keystone_admin)]$ glance member-create a92439a6-5923-4ca8-98ae-ceabe3c164f6 32af8050fbc247fd9ab9b0dc67237fc1 --can-share
[root@ykaul-os-horizon ~(keystone_admin)]$ echo $?
0
[root@ykaul-os-horizon ~(keystone_admin)]$ glance member-list --image-id a92439a6-5923-4ca8-98ae-ceabe3c164f6
+--------------------------------------+----------------------------------+-----------+
| Image ID                             | Member ID                        | Can Share |
+--------------------------------------+----------------------------------+-----------+
| a92439a6-5923-4ca8-98ae-ceabe3c164f6 | 32af8050fbc247fd9ab9b0dc67237fc1 | True      |
| a92439a6-5923-4ca8-98ae-ceabe3c164f6 | 32af8050fbc247fd9ab9b0dc67237fcc | True      |
+--------------------------------------+----------------------------------+-----------+

openstack-glance-2012.2.1-1.el6ost.noarch
Comment 6 Flavio Percoco 2013-05-06 16:12:44 UTC 
After some discussions upstream, this issue was closed as not a bug since this is the desired behavior. Glance doesn't check if the tenant is valid when adding a new member. 

Please, read the bug report linked in the external trackers for a more detailed information.