Description of problem: In ESSEX it is possible to enter invalid data in the glance database when adding members to images. Version-Release number of selected component (if applicable): Essex How reproducible: Every Steps to Reproduce: 1.glance member-add foo 2. 3. Actual results: member-foo added to database even though neither project nor user 'foo' exists Expected results: member 'foo' not added to database Additional info: I've also opened this bug upstream: https://bugs.launchpad.net/keystone/+bug/1080864
Thanks Dan. This is good feedback and is being taken on-board upstream I'd suggest closing this as UPSTREAM - this will be fixed in RHOS when we rebase to an upstream version which fixes it. We're unlikely to fix in RHOS before then, given that it's probably a fairly significant change.
For the record, still happens in Folsom (just that member-add was changed to member-create). One can add non-existent tenants to an image. [root@ykaul-os-horizon ~(keystone_admin)]$ glance member-list --image-id a92439a6-5923-4ca8-98ae-ceabe3c164f6 +--------------------------------------+----------------------------------+-----------+ | Image ID | Member ID | Can Share | +--------------------------------------+----------------------------------+-----------+ | a92439a6-5923-4ca8-98ae-ceabe3c164f6 | 32af8050fbc247fd9ab9b0dc67237fcc | True | +--------------------------------------+----------------------------------+-----------+ Now adding with a non-existent ID (similar to above, only with '1' at the end of the ID): [root@ykaul-os-horizon ~(keystone_admin)]$ glance member-create a92439a6-5923-4ca8-98ae-ceabe3c164f6 32af8050fbc247fd9ab9b0dc67237fc1 --can-share [root@ykaul-os-horizon ~(keystone_admin)]$ echo $? 0 [root@ykaul-os-horizon ~(keystone_admin)]$ glance member-list --image-id a92439a6-5923-4ca8-98ae-ceabe3c164f6 +--------------------------------------+----------------------------------+-----------+ | Image ID | Member ID | Can Share | +--------------------------------------+----------------------------------+-----------+ | a92439a6-5923-4ca8-98ae-ceabe3c164f6 | 32af8050fbc247fd9ab9b0dc67237fc1 | True | | a92439a6-5923-4ca8-98ae-ceabe3c164f6 | 32af8050fbc247fd9ab9b0dc67237fcc | True | +--------------------------------------+----------------------------------+-----------+ openstack-glance-2012.2.1-1.el6ost.noarch
After some discussions upstream, this issue was closed as not a bug since this is the desired behavior. Glance doesn't check if the tenant is valid when adding a new member. Please, read the bug report linked in the external trackers for a more detailed information.