When service catalog does not include tenant_id in token validation response, users cannot upload images to glance
Bug #927870 reported by
Gabe Westmaas
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
While tenant_id *can* be included in the validate token response according to the , it does not need to be. In the case where it isn't, glance cannot identify the tenant and so cannot set the owner correctly, and image upload fails.
To post a comment you must log in.
I believe this is by design -- **unless** a global (tenant-less) administrative role is provided -- if no tenant ID is included in the validation response, that's because the token is not scoped to a tenant, and should not be authorized to act upon a tenant. In that case, the user needs to authenticate with keystone for a specific tenant, receive a scoped token, and provide *that* token to glance.
However, if glance is failing to authorize a global admin role, I believe that's a bug in glance, although I'm not sure how it should be resolved.