Glance

swift_store_admin_tenants not working as expected

Bug #1109089 reported by Stuart McLaren on 2013-01-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Stuart McLaren	Glance grizzly-3 "g3"
	Grizzly	Fix Released	High	Stuart McLaren	Glance 2013.1 "grizzly"

Bug Description

When using a 'multi-tenant' swift backing store "swift_store_admin_tenants" doesn't
seem to work as expected.

Eg if I set the following in glance-api.conf:

swift_store_admin_tenants = 0e041755ac31411ba7ac0c8393bf51f9

The swift object doesn't have any read acls:

$ swift --os-password hpinvent --os-tenant-name service --os-username glance --os-auth-url http://localhost:35357/v2.0 stat glance_4120f65b-834a-4c02-bc79-b29fc3bf3276
  Account: AUTH_0e041755ac31411ba7ac0c8393bf51f9
Container: glance_4120f65b-834a-4c02-bc79-b29fc3bf3276
  Objects: 1
    Bytes: 731
Read ACL:
Write ACL:
  Sync To:
Sync Key:
Accept-Ranges: bytes
X-Timestamp: 1359477967.70988
X-Trans-Id: tx554851fcc75b4d7aad7ff972f3fbbeec
Content-Type: text/plain; charset=utf-8

It looks like a possible indentation error in glance/api/v1/controller.py

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2013-01-29:

A patch like this:

sam:glance$ git diff
diff --git a/glance/api/v1/controller.py b/glance/api/v1/controller.py
index 2234303..8b74e5d 100644
--- a/glance/api/v1/controller.py
+++ b/glance/api/v1/controller.py
@@ -76,9 +76,9 @@ class BaseController(object):
                             write_tenants.append(member['member_id'])
                         else:
                             read_tenants.append(member['member_id'])
- store.set_acls(req.context, location_uri, public=public,
- read_tenants=read_tenants,
- write_tenants=write_tenants)
+ store.set_acls(req.context, location_uri, public=public,
+ read_tenants=read_tenants,
+ write_tenants=write_tenants)
             except exception.UnknownScheme:
                 msg = _("Store for image_id not found: %s") % image_id
                 raise webob.exc.HTTPBadRequest(explanation=msg,

which is consistent with the v2 equivalent, makes the acls appear:

$ swift --os-password hpinvent --os-tenant-name service --os-username glance --os-auth-url http://localhost:35357/v2.0 stat glance_44e4144b-4345-4875-9a5c-de25495914e1
  Account: AUTH_0e041755ac31411ba7ac0c8393bf51f9
Container: glance_44e4144b-4345-4875-9a5c-de25495914e1
  Objects: 1
    Bytes: 731
Read ACL: .r:* <<<<
Write ACL: 0e041755ac31411ba7ac0c8393bf51f9 <<<<<
  Sync To:
Sync Key:
Accept-Ranges: bytes
X-Timestamp: 1359479432.37732
X-Trans-Id: txe055679ebbe546419e0a1bf4471de43d
Content-Type: text/plain; charset=utf-8

Changed in glance:
assignee:	nobody → Stuart McLaren (stuart-mclaren)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-29: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/20718

Changed in glance:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-29: Fix merged to glance (master)

Reviewed: https://review.openstack.org/20718
Committed: http://github.com/openstack/glance/commit/1b5409341099c869607d02e874d0476b4c959c42
Submitter: Jenkins
Branch: master

commit 1b5409341099c869607d02e874d0476b4c959c42
Author: Stuart McLaren <email address hidden>
Date: Tue Jan 29 16:46:46 2013 +0000

Ensure swift_store_admin_tenants ACLs are set

When using the V1 api ensure that admin tenant ACLs are set
correctly on the relevant swift container.

Fixes bug 1109089.

Change-Id: I275e8aa7d2f02859c0d9ddbf373a0ae51e81e53d

Changed in glance:
status:	In Progress → Fix Committed

Dan Prince (dan-prince) on 2013-01-30

Changed in glance:
importance:	Undecided → High

Thierry Carrez (ttx) on 2013-02-21

Changed in glance:
milestone:	none → grizzly-3
status:	Fix Committed → Fix Released

Revision history for this message

Nassim Babaci (nassim-babaci) wrote on 2014-01-20:

Hi,

I have also a wrong behavious when using admin_tenats list, but the problem doesn't seem to have the same root cause.
I'm testing on icehouse (git >> 2c4bd695652a628758eb56cb36394940a855d696)

Here how to reproduce:
http://paste.openstack.org/show/61570/

I have two problem here
* The admin tenant list seems to be applied to only the write ACL.
* Whatever the value of the admin_tenants list, the string ":*" is added to the list, which will result in having a bad format or the ACL string, Swift accept this string format but will end up with an error when countainer is accessed by glance. Making the image unusable in some cases

I checked the code and we can easily see the problem here.
in glance.store.swift
http://paste.openstack.org/show/61574/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-20: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/67875

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.