OpenStack Compute (nova)

User cannot see an image within its own project, created with 'nova image-create' command.

Bug #870528 reported by Valeriy Belavin
This bug report is a duplicate of:  Bug #863305: Image access control is available. Edit Remove
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Incomplete
Medium
Unassigned

Bug Description

Environment:

Ubuntu Server 11.04
OpenStack Diablo release (single server deployment)
Glance as an image storage

Nova config:
--libvirt_type=kvm
--image_service=nova.image.glance.GlanceImageService
--sql_connection=mysql://$dbuser:$dbpass@127.0.0.1/nova

--ec2_url=http://172.16.100.1:8773/services/Cloud
--s3_host=172.16.128.10
--cc_host=172.16.100.1
--glance_host=172.16.100.1
--rabbit_host=172.16.100.1

--network_manager=nova.network.manager.FlatDHCPManager
--dhcpbridge_flagfile=/etc/nova/nova.conf
--dhcpbridge=/usr/bin/nova-dhcpbridge
--fixed_range=172.16.100.0/24
--network_size=8
--routing_source_ip=172.16.128.10

--iscsi_ip_prefix=172.16.
--FAKE_subdomain=ec2
--logdir=/var/log/nova
--lock_path=/var/lock/nova
--state_path=/var/lib/nova
--verbose
--allow_admin_api=true
--use_deprecated_auth=true

Steps to reproduce:
1. create Nova user:
sudo nova-manage user create --name=test
sudo nova-manage project create --project=test-project --user=test
sudo nova-manage role add --user=test --role=netadmin
sudo nova-manage role add --user=test --role=netadmin --project=test-project
sudo nova-manage project zipfile --project=test-project --user=test --file=test.zip

2. start an instance with 'test' user credentials: nova boot test-vm --image ... --flavor ...
3. make a new image: nova image-create <test-vm-id> mysnap
4. check that the new image is available: nova image-list

Problem: user cannot see its own snapshot with nova image-list, and cannot start it with 'nova boot'.

Workaround:
File '/usr/share/pyshared/nova/image/service.py' (change 'project_id' to 'owner_id'):

    @staticmethod
    def _is_image_available(context, image_meta):
        """Check image availability.

        if context.project_id and ('project_id' in properties):
            return str(properties['project_id']) == str(context.project_id)

Revision history for this message
Valeriy Belavin (vvbelavin) wrote :

Snapshot is visible by 'glance show' command, here is an example:

Id: 5
Public: No
Name: snap1
Status: active
Size: 25165824
Disk format: raw
Container format: ovf
Minimum Ram Required (MB): 0
Minimum Disk Required (GB): 0
Property 'kernel_id': 1
Property 'image_location': snapshot
Property 'image_state': available
Property 'ramdisk_id': 2
Property 'owner_id': valeriy-project

Revision history for this message
Brian Waldon (bcwaldon) wrote :

Is this still valid? And are you using keystone?

Changed in nova:
status: New → Incomplete
Revision history for this message
Valeriy Belavin (vvbelavin) wrote :

Valid. Not using Keystone.

Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → Medium
status: Incomplete → Confirmed
Yaguang Tang (heut2008)
Changed in nova:
status: Confirmed → Fix Committed
Revision history for this message
Thierry Carrez (ttx) wrote :

@Yaguang Tang: could you explain why you think this is Fix Committed ? Any particular commit fixing this ? Or you verified it's no longer happening ?

Changed in nova:
status: Fix Committed → Incomplete
Revision history for this message
Nathanael Burton (mathrock) wrote :

@Thierry, I believe @Yaguang is correct. This should already be fixed here: https://github.com/openstack/nova/blob/master/nova/image/glance.py#L362. This is actually a duplicate of bug 863305.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.