[Bug 1864203] Re: 'image add project' fails to find project for non-admin user
Roger Luethi
1864203 at bugs.launchpad.net
Thu Jul 23 05:13:56 UTC 2020
This may have been fixed already by this commit:
https://opendev.org/openstack/osc-
lib/commit/1ff3720daefd98a77557e5692fd7052b5930ae6c
Revert "Add error message when occurrence Forbidden error"
This reverts commit 3c0559def3.
This patch is breaking the Glance image share function.
Change-Id: Ic380b4fdeb334b70be39fcf07670902c0bc89dd9
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-openstackclient in Ubuntu.
https://bugs.launchpad.net/bugs/1864203
Title:
'image add project' fails to find project for non-admin user
Status in python-openstackclient package in Ubuntu:
Confirmed
Bug description:
while validating a openstack-ansible deployed 'train' cloud I noticed
that image sharing no longer works for non-admin users
as a non-admin user create an image:
$ openstack image create --file ~/iso/cirros-0.4.0-x86_64-disk.img --disk-format qcow2 my_image
...
| id | 5be301ee-aa4a-4365-a338-212af1e49321 |
...
share it with project with UUID 31cd824bad4e46a8b4faa02516c2b786:
$ openstack image add project 5be301ee-aa4a-4365-a338-212af1e49321 31cd824bad4e46a8b4faa02516c2b786
You are not authorized to find project with the name '31cd824bad4e46a8b4faa02516c2b786'.
extract from client debug mode:
RESP BODY: {"error":{"code":403,"message":"You are not authorized to
perform the requested action:
identity:get_project.","title":"Forbidden"}}
GET call to identity for https://KEYSTONE_EXT_ENDPOINT:5000/v3/projects/31cd824bad4e46a8b4faa02516c2b786 used request id req-be17950b-2f35-4e15-8032-7e9b3645ef34
Request returned failure status: 403
REQ: curl -g -i -X GET https://KEYSTONE_EXT_ENDPOINT:5000/v3/projects?name=31cd824bad4e46a8b4faa02516c2b786 -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}931765129b0b2ad132c3d606c437b6c0dca839b560f1eecfcfadd2163c2f3423"
Resetting dropped connection: KEYSTONE_EXT_ENDPOINT
https://KEYSTONE_EXT_ENDPOINT:5000 "GET /v3/projects?name=31cd824bad4e46a8b4faa02516c2b786 HTTP/1.1" 403 135
RESP: [403] Connection: close Content-Length: 135 Content-Type: application/json Date: Fri, 21 Feb 2020 12:43:17 GMT Server: nginx/1.14.0 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-a64e45d8-1777-4f35-93c9-34e70c181330
RESP BODY: {"error":{"code":403,"message":"You are not authorized to perform the requested action: identity:list_projects.","title":"Forbidden"}}
GET call to identity for https://KEYSTONE_EXT_ENDPOINT:5000/v3/projects?name=31cd824bad4e46a8b4faa02516c2b786 used request id req-a64e45d8-1777-4f35-93c9-34e70c181330
Request returned failure status: 403
You are not authorized to find project with the name '31cd824bad4e46a8b4faa02516c2b786'.
This was of course correctly rejected by keystone.
The same request does succeed if run by an admin user.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-openstackclient/+bug/1864203/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list