Description of problem: I configured swift to work as glance backend. after creating an image I wanted to make sure that the image was created on swift under glance container but in order to do that I need to log in with user glance. I think that if as admin user I can list the images from backend, than I should also be able to list the services containers. Version-Release number of selected component (if applicable): [root@nott-vdsa ~(keystone_glance)]# rpm -qa |grep swift openstack-swift-plugin-swift3-1.0.0-0.20120711git.1.el6ost.noarch openstack-swift-proxy-1.8.0-6.el6ost.noarch python-swiftclient-1.6.0-1.el6ost.noarch openstack-swift-1.8.0-6.el6ost.noarch How reproducible: 100% Steps to Reproduce: 1. configure swift to be glance's backend and create an image 2. run glance image-list -> you can see the image 3. run swift list 4. log in with user glance -> run swift list Actual results: we can only see the glance container when we log in as glance service user Expected results: if user admin can list the images from the backend it should also be seeing the glance container and list its objects Additional info: user admin: [root@nott-vdsa ~(keystone_admin)]# glance image-list +--------------------------------------+--------+-------------+------------------+------------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+--------+-------------+------------------+------------+--------+ | 6f51ef8c-e540-43c3-9981-d64c01f1962c | bla | qcow2 | bare | 31357907 | active | | ce811c65-c2f4-448e-8a1c-a6c3d104424d | rhel64 | qcow2 | bare | 1974140928 | active | | 74a6f42b-95b6-469c-a2b9-f76702fecdcb | test | qcow2 | bare | 31357907 | active | +--------------------------------------+--------+-------------+------------------+------------+--------+ [root@nott-vdsa ~(keystone_admin)]# glance image-delete ce811c65-c2f4-448e-8a1c-a6c3d104424d [root@nott-vdsa ~(keystone_admin)]# glance image-delete 74a6f42b-95b6-469c-a2b9-f76702fecdcb [root@nott-vdsa ~(keystone_admin)]# [root@nott-vdsa ~(keystone_admin)]# [root@nott-vdsa ~(keystone_admin)]# [root@nott-vdsa ~(keystone_admin)]# [root@nott-vdsa ~(keystone_admin)]# glance image-list +--------------------------------------+------+-------------+------------------+----------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+------+-------------+------------------+----------+--------+ | 6f51ef8c-e540-43c3-9981-d64c01f1962c | bla | qcow2 | bare | 31357907 | active | +--------------------------------------+------+-------------+------------------+----------+--------+ [root@nott-vdsa ~(keystone_admin)]# swift list dafna test user glance: [root@nott-vdsa ~(keystone_glance)]# swift list glance [root@nott-vdsa ~(keystone_glance)]# swift list glance 6f51ef8c-e540-43c3-9981-d64c01f1962c
https://bugs.launchpad.net/swift/+bug/1231396
This is not a bug. When we create an image, the 'container' in swift is an implementation detail. The fact that you *can* configure the same user for both system doesn't mean anything
Reopening after discussing with Dafna. The problem iiuc is that 'admin' user does not have enough permissions to 'see' containers created by services (e.g. glance)
*** Bug 1014735 has been marked as a duplicate of this bug. ***
Unfortunately, Swift seems to have problem with ACL. Even though I have set ACL for container glance for admin user, the cantainer is not visible. I'm not sure [para@localhost ~(keystone_admin)]$ source keystonerc_glance [para@localhost ~(keystone_glance)]$ swift list glance [para@localhost ~(keystone_glance)]$ swift stat glance Account: AUTH_83f6607d54844b08874184766148d375 Container: glance Objects: 1 Bytes: 13147648 Read ACL: Write ACL: Sync To: Sync Key: Accept-Ranges: bytes X-Timestamp: 1413465069.26403 X-Trans-Id: tx7d7bd62674d843f9b9ea0-005440cd76 Content-Type: text/plain; charset=utf-8 [para@localhost ~(keystone_glance)]$ swift post glance -r admin:admin [para@localhost ~(keystone_glance)]$ swift post glance -w admin:admin [para@localhost ~(keystone_glance)]$ swift stat glance Account: AUTH_83f6607d54844b08874184766148d375 Container: glance Objects: 1 Bytes: 13147648 Read ACL: admin:admin Write ACL: admin:admin Sync To: Sync Key: Accept-Ranges: bytes X-Timestamp: 1413465069.26403 X-Trans-Id: txdad6dc7ac974427d8d9f6-005440d3cf Content-Type: text/plain; charset=utf-8 [para@localhost ~(keystone_glance)]$ source keystonerc_admin [para@localhost ~(keystone_admin)]$ swift list [para@localhost ~(keystone_admin)]$ swift stat glance Container 'glance' not found I tried to use also only 'admin' as ACL, but it didn't work too. Any thoughts Peter or Pete?
The operations in comment #5 only work if glance and admin share a tennant. Do they? You can verify it with stat -v.
can i have acks for this bug please?
Hmmm, I think this can be safely closed now?