Bug 1012382 - swift: Admin user does not have permissions to see containers created by glance service
swift: Admin user does not have permissions to see containers created by glan...
Status: CLOSED EOL
Product: RDO
Classification: Community
Component: openstack-packstack (Show other bugs)
Kilo
x86_64 Linux
unspecified Severity medium
: ---
: trunk
Assigned To: Martin Magr
nlevinki
storage
: Reopened, ZStream
: 1014735 (view as bug list)
Depends On: 884748
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-26 07:34 EDT by Dafna Ron
Modified: 2017-07-03 07:20 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-18 02:07:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 129176 None None None Never

  None (edit)
Description Dafna Ron 2013-09-26 07:34:57 EDT
Description of problem:

I configured swift to work as glance backend. 
after creating an image I wanted to make sure that the image was created on swift under glance container but in order to do that I need to log in with user glance. 

I think that if as admin user I can list the images from backend, than I should also be able to list the services containers. 

Version-Release number of selected component (if applicable):

[root@nott-vdsa ~(keystone_glance)]# rpm -qa |grep swift
openstack-swift-plugin-swift3-1.0.0-0.20120711git.1.el6ost.noarch
openstack-swift-proxy-1.8.0-6.el6ost.noarch
python-swiftclient-1.6.0-1.el6ost.noarch
openstack-swift-1.8.0-6.el6ost.noarch


How reproducible:

100%

Steps to Reproduce:
1. configure swift to be glance's backend and create an image
2. run glance image-list -> you can see the image
3. run swift list 
4. log in with user glance -> run swift list 

Actual results:

we can only see the glance container when we log in as glance service user

Expected results:

if user admin can list the images from the backend it should also be seeing the glance container and list its objects

Additional info:

user admin: 


[root@nott-vdsa ~(keystone_admin)]# glance image-list 
+--------------------------------------+--------+-------------+------------------+------------+--------+
| ID                                   | Name   | Disk Format | Container Format | Size       | Status |
+--------------------------------------+--------+-------------+------------------+------------+--------+
| 6f51ef8c-e540-43c3-9981-d64c01f1962c | bla    | qcow2       | bare             | 31357907   | active |
| ce811c65-c2f4-448e-8a1c-a6c3d104424d | rhel64 | qcow2       | bare             | 1974140928 | active |
| 74a6f42b-95b6-469c-a2b9-f76702fecdcb | test   | qcow2       | bare             | 31357907   | active |
+--------------------------------------+--------+-------------+------------------+------------+--------+
[root@nott-vdsa ~(keystone_admin)]# glance image-delete ce811c65-c2f4-448e-8a1c-a6c3d104424d
[root@nott-vdsa ~(keystone_admin)]# glance image-delete 74a6f42b-95b6-469c-a2b9-f76702fecdcb
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# 
[root@nott-vdsa ~(keystone_admin)]# glance image-list 
+--------------------------------------+------+-------------+------------------+----------+--------+
| ID                                   | Name | Disk Format | Container Format | Size     | Status |
+--------------------------------------+------+-------------+------------------+----------+--------+
| 6f51ef8c-e540-43c3-9981-d64c01f1962c | bla  | qcow2       | bare             | 31357907 | active |
+--------------------------------------+------+-------------+------------------+----------+--------+
[root@nott-vdsa ~(keystone_admin)]# swift list 
dafna
test

user glance: 

[root@nott-vdsa ~(keystone_glance)]# swift list 
glance
[root@nott-vdsa ~(keystone_glance)]# swift list glance 
6f51ef8c-e540-43c3-9981-d64c01f1962c
Comment 1 Dafna Ron 2013-09-26 07:35:20 EDT
https://bugs.launchpad.net/swift/+bug/1231396
Comment 2 Ayal Baron 2013-10-01 05:38:28 EDT
This is not a bug.
When we create an image, the 'container' in swift is an implementation detail.
The fact that you *can* configure the same user for both system doesn't mean anything
Comment 3 Ayal Baron 2013-10-01 05:42:48 EDT
Reopening after discussing with Dafna.
The problem iiuc is that 'admin' user does not have enough permissions to 'see' containers created by services (e.g. glance)
Comment 4 Alvaro Lopez Ortega 2013-11-15 07:21:56 EST
*** Bug 1014735 has been marked as a duplicate of this bug. ***
Comment 5 Martin Magr 2014-10-17 05:04:28 EDT
Unfortunately, Swift seems to have problem with ACL. Even though I have set ACL for container glance for admin user, the cantainer is not visible.

I'm not sure 

[para@localhost ~(keystone_admin)]$ source keystonerc_glance
[para@localhost ~(keystone_glance)]$ swift list
glance
[para@localhost ~(keystone_glance)]$ swift stat glance
       Account: AUTH_83f6607d54844b08874184766148d375
     Container: glance
       Objects: 1
         Bytes: 13147648
      Read ACL:
     Write ACL:
       Sync To:
      Sync Key:
 Accept-Ranges: bytes
   X-Timestamp: 1413465069.26403
    X-Trans-Id: tx7d7bd62674d843f9b9ea0-005440cd76
  Content-Type: text/plain; charset=utf-8
[para@localhost ~(keystone_glance)]$ swift post glance -r admin:admin
[para@localhost ~(keystone_glance)]$ swift post glance -w admin:admin
[para@localhost ~(keystone_glance)]$ swift stat glance
       Account: AUTH_83f6607d54844b08874184766148d375
     Container: glance
       Objects: 1
         Bytes: 13147648
      Read ACL: admin:admin
     Write ACL: admin:admin
       Sync To:
      Sync Key:
 Accept-Ranges: bytes
   X-Timestamp: 1413465069.26403
    X-Trans-Id: txdad6dc7ac974427d8d9f6-005440d3cf
  Content-Type: text/plain; charset=utf-8
[para@localhost ~(keystone_glance)]$ source keystonerc_admin
[para@localhost ~(keystone_admin)]$ swift list
[para@localhost ~(keystone_admin)]$ swift stat glance
Container 'glance' not found

I tried to use also only 'admin' as ACL, but it didn't work too. Any thoughts Peter or Pete?
Comment 6 Pete Zaitcev 2014-10-17 16:07:30 EDT
The operations in comment #5 only work if glance and admin share
a tennant. Do they? You can verify it with stat -v.
Comment 7 Ivan Chavero 2015-08-27 01:43:43 EDT
can i have acks for this bug please?
Comment 10 Christopher Brown 2017-06-17 15:24:36 EDT
Hmmm, I think this can be safely closed now?

Note You need to log in before you can comment on or make changes to this bug.