Glance Image Visibility Issue? - Non admin users can see private images from other tenants

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]

 

All,

 

I’m seeing unexpected behavior in our Queens environment related to Glance image visibility. Specifically users who, based on my understanding of the visibility and ownership fields, should NOT be able to see or view the image.

  

If I create a new image with openstack image create and specify –project <tenant> and –private a non-admin user in a different tenant can see and boot that image.

 

That seems to be the opposite of what should happen. Any ideas?

 

 

 

 

Mike Moore, M.S.S.E.

 

Systems Engineer, Goddard Private Cloud

GITISS Contract

Business Integra Inc.

NASA Goddard Space Flight Center

[hidden email]

www.BusinessIntegra.com

 

Hydrogen fusion brightens my day.

 


_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

iain MacDonnell-2


On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:

> I’m seeing unexpected behavior in our Queens environment related to
> Glance image visibility. Specifically users who, based on my
> understanding of the visibility and ownership fields, should NOT be able
> to see or view the image.
>
> If I create a new image with openstack image create and specify –project
> <tenant> and –private a non-admin user in a different tenant can see and
> boot that image.
>
> That seems to be the opposite of what should happen. Any ideas?

Yep, something's not right there.

Are you sure that the user that can see the image doesn't have the admin
role (for the project in its keystone token) ?

Did you verify that the image's owner is what you intended, and that the
visibility really is "private" ?

     ~iain

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.

In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.

Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:

   
   
    On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    INTEGRA, INC.] wrote:
    > I’m seeing unexpected behavior in our Queens environment related to
    > Glance image visibility. Specifically users who, based on my
    > understanding of the visibility and ownership fields, should NOT be able
    > to see or view the image.
    >
    > If I create a new image with openstack image create and specify –project
    > <tenant> and –private a non-admin user in a different tenant can see and
    > boot that image.
    >
    > That seems to be the opposite of what should happen. Any ideas?
   
    Yep, something's not right there.
   
    Are you sure that the user that can see the image doesn't have the admin
    role (for the project in its keystone token) ?
   
    Did you verify that the image's owner is what you intended, and that the
    visibility really is "private" ?
   
         ~iain
   
    _______________________________________________
    OpenStack-operators mailing list
    [hidden email]
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.



Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:

    Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
   
    In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
   
    Mike Moore, M.S.S.E.
     
    Systems Engineer, Goddard Private Cloud
    [hidden email]
     
    Hydrogen fusion brightens my day.
     
   
    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
   
       
       
        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        INTEGRA, INC.] wrote:
        > I’m seeing unexpected behavior in our Queens environment related to
        > Glance image visibility. Specifically users who, based on my
        > understanding of the visibility and ownership fields, should NOT be able
        > to see or view the image.
        >
        > If I create a new image with openstack image create and specify –project
        > <tenant> and –private a non-admin user in a different tenant can see and
        > boot that image.
        >
        > That seems to be the opposite of what should happen. Any ideas?
       
        Yep, something's not right there.
       
        Are you sure that the user that can see the image doesn't have the admin
        role (for the project in its keystone token) ?
       
        Did you verify that the image's owner is what you intended, and that the
        visibility really is "private" ?
       
             ~iain
       
        _______________________________________________
        OpenStack-operators mailing list
        [hidden email]
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
       
   
    _______________________________________________
    OpenStack-operators mailing list
    [hidden email]
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Chris Apsey
Do you have a liberal/custom policy.json that perhaps is causing unexpected
behavior?  Can't seem to reproduce this.

On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.]" <[hidden email]> wrote:

> I have replicated this unexpected behavior in a Pike test environment, in
> addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
> INC.]" <[hidden email]> wrote:
>
>    Yes. I verified it by creating a non-admin user in a different tenant. I
>    created a new image, set to private with the project defined as our admin
>    tenant.
>
>    In the database I can see that the image is 'private' and the owner is the
>    ID of the admin tenant.
>
>    Mike Moore, M.S.S.E.
>
>    Systems Engineer, Goddard Private Cloud
>    [hidden email]
>
>    Hydrogen fusion brightens my day.
>
>
>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>
>
>
>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>        INTEGRA, INC.] wrote:
>> I’m seeing unexpected behavior in our Queens environment related to
>> Glance image visibility. Specifically users who, based on my
>> understanding of the visibility and ownership fields, should NOT be able
>> to see or view the image.
>>
>> If I create a new image with openstack image create and specify –project
>> <tenant> and –private a non-admin user in a different tenant can see and
>> boot that image.
>>
>> That seems to be the opposite of what should happen. Any ideas?
>
>        Yep, something's not right there.
>
>        Are you sure that the user that can see the image doesn't have the admin
>        role (for the project in its keystone token) ?
>
>        Did you verify that the image's owner is what you intended, and that the
>        visibility really is "private" ?
>
>             ~iain
>
>        _______________________________________________
>        OpenStack-operators mailing list
>        [hidden email]
>        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>    _______________________________________________
>    OpenStack-operators mailing list
>    [hidden email]
>    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators




_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

iain MacDonnell-2
In reply to this post by Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]

I suspect that your non-admin user is not really non-admin. How did you
create it?

What you have for "context_is_admin" in glance's policy.json ?

     ~iain


On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:

> I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>  
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>  
> Hydrogen fusion brightens my day.
>  
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>
>      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>      
>      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>      
>      Mike Moore, M.S.S.E.
>      
>      Systems Engineer, Goddard Private Cloud
>      [hidden email]
>      
>      Hydrogen fusion brightens my day.
>      
>      
>      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>      
>          
>          
>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>          INTEGRA, INC.] wrote:
>          > I’m seeing unexpected behavior in our Queens environment related to
>          > Glance image visibility. Specifically users who, based on my
>          > understanding of the visibility and ownership fields, should NOT be able
>          > to see or view the image.
>          >
>          > If I create a new image with openstack image create and specify –project
>          > <tenant> and –private a non-admin user in a different tenant can see and
>          > boot that image.
>          >
>          > That seems to be the opposite of what should happen. Any ideas?
>          
>          Yep, something's not right there.
>          
>          Are you sure that the user that can see the image doesn't have the admin
>          role (for the project in its keystone token) ?
>          
>          Did you verify that the image's owner is what you intended, and that the
>          visibility really is "private" ?
>          
>               ~iain
>          
>          _______________________________________________
>          OpenStack-operators mailing list
>          [hidden email]
>          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>          
>      
>      _______________________________________________
>      OpenStack-operators mailing list
>      [hidden email]
>      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      
>

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike


openstack role add --user mike --user-domain default --project test user

my admin account is in the NDC domain with a different username.



/etc/glance/policy.json
{

"context_is_admin":  "role:admin",
"default": "role:admin",

<snip>


I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?


Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:

   
    I suspect that your non-admin user is not really non-admin. How did you
    create it?
   
    What you have for "context_is_admin" in glance's policy.json ?
   
         ~iain
   
   
    On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    INTEGRA, INC.] wrote:
    > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
    >
    >
    >
    > Mike Moore, M.S.S.E.
    >  
    > Systems Engineer, Goddard Private Cloud
    > [hidden email]
    >  
    > Hydrogen fusion brightens my day.
    >  
    >
    > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
    >
    >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
    >      
    >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
    >      
    >      Mike Moore, M.S.S.E.
    >      
    >      Systems Engineer, Goddard Private Cloud
    >      [hidden email]
    >      
    >      Hydrogen fusion brightens my day.
    >      
    >      
    >      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >      
    >          
    >          
    >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >          INTEGRA, INC.] wrote:
    >          > I’m seeing unexpected behavior in our Queens environment related to
    >          > Glance image visibility. Specifically users who, based on my
    >          > understanding of the visibility and ownership fields, should NOT be able
    >          > to see or view the image.
    >          >
    >          > If I create a new image with openstack image create and specify –project
    >          > <tenant> and –private a non-admin user in a different tenant can see and
    >          > boot that image.
    >          >
    >          > That seems to be the opposite of what should happen. Any ideas?
    >          
    >          Yep, something's not right there.
    >          
    >          Are you sure that the user that can see the image doesn't have the admin
    >          role (for the project in its keystone token) ?
    >          
    >          Did you verify that the image's owner is what you intended, and that the
    >          visibility really is "private" ?
    >          
    >               ~iain
    >          
    >          _______________________________________________
    >          OpenStack-operators mailing list
    >          [hidden email]
    >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >          
    >      
    >      _______________________________________________
    >      OpenStack-operators mailing list
    >      [hidden email]
    >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >      
    >
   

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

iain MacDonnell-2

That all looks fine.

I believe that the "default" policy applies in place of any that's not
explicitly specified - i.e. "if there's no matching policy below, you
need to have the admin role to be able to do it". I do have that line in
my policy.json, and I cannot reproduce your problem (see below).

I'm not using domains (other than "default"). I wonder if that's a factor...

     ~iain


$ openstack user create --password foo user1
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | d18c0031ec56430499a2d690cb1f125c |
| name                | user1                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
$ openstack user create --password foo user2
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | be9f1061a5104abd834eabe98dff055d |
| name                | user2                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
$ openstack project create project1
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 826876d6d3724018bae6253c7f540cb3 |
| is_domain   | False                            |
| name        | project1                         |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+
$ openstack project create project2
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | b446b93ac6e24d538c1943acbdd13cb2 |
| is_domain   | False                            |
| name        | project2                         |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+
$ openstack role add --user user1 --project project1 _member_
$ openstack role add --user user2 --project project2 _member_
$ export OS_PASSWORD=foo
$ export OS_USERNAME=user1
$ export OS_PROJECT_NAME=project1
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--------------------------------------+--------+--------+
$ openstack image create --private image1
+------------------+------------------------------------------------------------------------------+
| Field            | Value
                          |
+------------------+------------------------------------------------------------------------------+
| checksum         | None
                          |
| container_format | bare
                          |
| created_at       | 2018-10-18T22:17:41Z
                          |
| disk_format      | raw
                          |
| file             |
/v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
     |
| id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
                          |
| min_disk         | 0
                          |
| min_ram          | 0
                          |
| name             | image1
                          |
| owner            | 826876d6d3724018bae6253c7f540cb3
                          |
| properties       | locations='[]', os_hash_algo='None',
os_hash_value='None', os_hidden='False' |
| protected        | False
                          |
| schema           | /v2/schemas/image
                          |
| size             | None
                          |
| status           | queued
                          |
| tags             |
                          |
| updated_at       | 2018-10-18T22:17:41Z
                          |
| virtual_size     | None
                          |
| visibility       | private
                          |
+------------------+------------------------------------------------------------------------------+
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
| 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
+--------------------------------------+--------+--------+
$ export OS_USERNAME=user2
$ export OS_PROJECT_NAME=project2
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--------------------------------------+--------+--------+
$ export OS_USERNAME=admin
$ export OS_PROJECT_NAME=admin
$ export OS_PASSWORD=xxx
$ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
$ export OS_USERNAME=user2
$ export OS_PROJECT_NAME=project2
$ export OS_PASSWORD=foo
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
| 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
+--------------------------------------+--------+--------+
$


On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:

> openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
>
>
> openstack role add --user mike --user-domain default --project test user
>
> my admin account is in the NDC domain with a different username.
>
>
>
> /etc/glance/policy.json
> {
>
> "context_is_admin":  "role:admin",
> "default": "role:admin",
>
> <snip>
>
>
> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?
>
>
> Mike Moore, M.S.S.E.
>  
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>  
> Hydrogen fusion brightens my day.
>  
>
> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>
>      
>      I suspect that your non-admin user is not really non-admin. How did you
>      create it?
>      
>      What you have for "context_is_admin" in glance's policy.json ?
>      
>           ~iain
>      
>      
>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      INTEGRA, INC.] wrote:
>      > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>      >
>      >
>      >
>      > Mike Moore, M.S.S.E.
>      >
>      > Systems Engineer, Goddard Private Cloud
>      > [hidden email]
>      >
>      > Hydrogen fusion brightens my day.
>      >
>      >
>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>      >
>      >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>      >
>      >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>      >
>      >      Mike Moore, M.S.S.E.
>      >
>      >      Systems Engineer, Goddard Private Cloud
>      >      [hidden email]
>      >
>      >      Hydrogen fusion brightens my day.
>      >
>      >
>      >      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>      >
>      >
>      >
>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      >          INTEGRA, INC.] wrote:
>      >          > I’m seeing unexpected behavior in our Queens environment related to
>      >          > Glance image visibility. Specifically users who, based on my
>      >          > understanding of the visibility and ownership fields, should NOT be able
>      >          > to see or view the image.
>      >          >
>      >          > If I create a new image with openstack image create and specify –project
>      >          > <tenant> and –private a non-admin user in a different tenant can see and
>      >          > boot that image.
>      >          >
>      >          > That seems to be the opposite of what should happen. Any ideas?
>      >
>      >          Yep, something's not right there.
>      >
>      >          Are you sure that the user that can see the image doesn't have the admin
>      >          role (for the project in its keystone token) ?
>      >
>      >          Did you verify that the image's owner is what you intended, and that the
>      >          visibility really is "private" ?
>      >
>      >               ~iain
>      >
>      >          _______________________________________________
>      >          OpenStack-operators mailing list
>      >          [hidden email]
>      >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>      >      _______________________________________________
>      >      OpenStack-operators mailing list
>      >      [hidden email]
>      >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>      
>

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Chris Apsey
We are using multiple keystone domains - still can't reproduce this.

Do you happen to have a customized keystone policy.json?

Worst case, I would launch a devstack of your targeted release.  If you
can't reproduce the issue there, you would at least know its caused by a
nonstandard config rather than a bug (or at least not a bug that's present
when using a default config)

On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
wrote:

> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a factor...
>
>     ~iain
>
>
> $ openstack user create --password foo user1
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | d18c0031ec56430499a2d690cb1f125c |
> | name                | user1                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack user create --password foo user2
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | be9f1061a5104abd834eabe98dff055d |
> | name                | user2                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack project create project1
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | 826876d6d3724018bae6253c7f540cb3 |
> | is_domain   | False                            |
> | name        | project1                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack project create project2
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> | is_domain   | False                            |
> | name        | project2                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack role add --user user1 --project project1 _member_
> $ openstack role add --user user2 --project project2 _member_
> $ export OS_PASSWORD=foo
> $ export OS_USERNAME=user1
> $ export OS_PROJECT_NAME=project1
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ openstack image create --private image1
> +------------------+------------------------------------------------------------------------------+
> | Field            | Value
>                          |
> +------------------+------------------------------------------------------------------------------+
> | checksum         | None
>                          |
> | container_format | bare
>                          |
> | created_at       | 2018-10-18T22:17:41Z
>                          |
> | disk_format      | raw
>                          |
> | file             |
> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>     |
> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>                          |
> | min_disk         | 0
>                          |
> | min_ram          | 0
>                          |
> | name             | image1
>                          |
> | owner            | 826876d6d3724018bae6253c7f540cb3
>                          |
> | properties       | locations='[]', os_hash_algo='None',
> os_hash_value='None', os_hidden='False' |
> | protected        | False
>                          |
> | schema           | /v2/schemas/image
>                          |
> | size             | None
>                          |
> | status           | queued
>                          |
> | tags             |
>                          |
> | updated_at       | 2018-10-18T22:17:41Z
>                          |
> | virtual_size     | None
>                          |
> | visibility       | private
>                          |
> +------------------+------------------------------------------------------------------------------+
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=admin
> $ export OS_PROJECT_NAME=admin
> $ export OS_PASSWORD=xxx
> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ export OS_PASSWORD=foo
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $
>
>
> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> openstack user create --domain default --password xxxxxxxx --project-domain
>> ndc --project test mike
>>
>>
>> openstack role add --user mike --user-domain default --project test user
>>
>> my admin account is in the NDC domain with a different username.
>>
>>
>>
>> /etc/glance/policy.json
>> {
>>
>> "context_is_admin":  "role:admin",
>> "default": "role:admin",
>>
>> <snip>
>>
>>
>> I'm not terribly familiar with the policies but I feel like that default
>> line is making everyone an admin by default?
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>>
>>
>> I suspect that your non-admin user is not really non-admin. How did you
>> create it?
>>
>> What you have for "context_is_admin" in glance's policy.json ?
>>
>>  ~iain
>>
>>
>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>>> I have replicated this unexpected behavior in a Pike test environment, in
>>> addition to our Queens environment.
>>>
>>>
>>>
>>> Mike Moore, M.S.S.E.
>>>
>>> Systems Engineer, Goddard Private Cloud
>>> [hidden email]
>>>
>>> Hydrogen fusion brightens my day.
>>>
>>>
>>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>>> INC.]" <[hidden email]> wrote:
>>>
>>>    Yes. I verified it by creating a non-admin user in a different tenant. I
>>>    created a new image, set to private with the project defined as our admin
>>>    tenant.
>>>
>>>    In the database I can see that the image is 'private' and the owner is the
>>>    ID of the admin tenant.
>>>
>>>    Mike Moore, M.S.S.E.
>>>
>>>    Systems Engineer, Goddard Private Cloud
>>>    [hidden email]
>>>
>>>    Hydrogen fusion brightens my day.
>>>
>>>
>>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>>
>>>
>>>
>>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>>        INTEGRA, INC.] wrote:
>>>        > I’m seeing unexpected behavior in our Queens environment related to
>>>        > Glance image visibility. Specifically users who, based on my
>>>        > understanding of the visibility and ownership fields, should NOT be able
>>>        > to see or view the image.
>>>        >
>>>        > If I create a new image with openstack image create and specify –project
>>>        > <tenant> and –private a non-admin user in a different tenant can see and
>>>        > boot that image.
>>>        >
>>>        > That seems to be the opposite of what should happen. Any ideas?
>>>
>>>        Yep, something's not right there.
>>>
>>>        Are you sure that the user that can see the image doesn't have the admin
>>>        role (for the project in its keystone token) ?
>>>
>>>        Did you verify that the image's owner is what you intended, and that the
>>>        visibility really is "private" ?
>>>
>>>             ~iain
>>>
>>>        _______________________________________________
>>>        OpenStack-operators mailing list
>>>        [hidden email]
>>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>>
>>>
>>>    _______________________________________________
>>>    OpenStack-operators mailing list
>>>    [hidden email]
>>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators




_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
Our NDC domain is LDAP backed. Default is not.

Our keystone policy.json file is empty {}



Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:

    We are using multiple keystone domains - still can't reproduce this.
   
    Do you happen to have a customized keystone policy.json?
   
    Worst case, I would launch a devstack of your targeted release.  If you
    can't reproduce the issue there, you would at least know its caused by a
    nonstandard config rather than a bug (or at least not a bug that's present
    when using a default config)
   
    On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
    wrote:
   
    > That all looks fine.
    >
    > I believe that the "default" policy applies in place of any that's not
    > explicitly specified - i.e. "if there's no matching policy below, you
    > need to have the admin role to be able to do it". I do have that line in
    > my policy.json, and I cannot reproduce your problem (see below).
    >
    > I'm not using domains (other than "default"). I wonder if that's a factor...
    >
    >     ~iain
    >
    >
    > $ openstack user create --password foo user1
    > +---------------------+----------------------------------+
    > | Field               | Value                            |
    > +---------------------+----------------------------------+
    > | domain_id           | default                          |
    > | enabled             | True                             |
    > | id                  | d18c0031ec56430499a2d690cb1f125c |
    > | name                | user1                            |
    > | options             | {}                               |
    > | password_expires_at | None                             |
    > +---------------------+----------------------------------+
    > $ openstack user create --password foo user2
    > +---------------------+----------------------------------+
    > | Field               | Value                            |
    > +---------------------+----------------------------------+
    > | domain_id           | default                          |
    > | enabled             | True                             |
    > | id                  | be9f1061a5104abd834eabe98dff055d |
    > | name                | user2                            |
    > | options             | {}                               |
    > | password_expires_at | None                             |
    > +---------------------+----------------------------------+
    > $ openstack project create project1
    > +-------------+----------------------------------+
    > | Field       | Value                            |
    > +-------------+----------------------------------+
    > | description |                                  |
    > | domain_id   | default                          |
    > | enabled     | True                             |
    > | id          | 826876d6d3724018bae6253c7f540cb3 |
    > | is_domain   | False                            |
    > | name        | project1                         |
    > | parent_id   | default                          |
    > | tags        | []                               |
    > +-------------+----------------------------------+
    > $ openstack project create project2
    > +-------------+----------------------------------+
    > | Field       | Value                            |
    > +-------------+----------------------------------+
    > | description |                                  |
    > | domain_id   | default                          |
    > | enabled     | True                             |
    > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
    > | is_domain   | False                            |
    > | name        | project2                         |
    > | parent_id   | default                          |
    > | tags        | []                               |
    > +-------------+----------------------------------+
    > $ openstack role add --user user1 --project project1 _member_
    > $ openstack role add --user user2 --project project2 _member_
    > $ export OS_PASSWORD=foo
    > $ export OS_USERNAME=user1
    > $ export OS_PROJECT_NAME=project1
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > +--------------------------------------+--------+--------+
    > $ openstack image create --private image1
    > +------------------+------------------------------------------------------------------------------+
    > | Field            | Value
    >                          |
    > +------------------+------------------------------------------------------------------------------+
    > | checksum         | None
    >                          |
    > | container_format | bare
    >                          |
    > | created_at       | 2018-10-18T22:17:41Z
    >                          |
    > | disk_format      | raw
    >                          |
    > | file             |
    > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
    >     |
    > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >                          |
    > | min_disk         | 0
    >                          |
    > | min_ram          | 0
    >                          |
    > | name             | image1
    >                          |
    > | owner            | 826876d6d3724018bae6253c7f540cb3
    >                          |
    > | properties       | locations='[]', os_hash_algo='None',
    > os_hash_value='None', os_hidden='False' |
    > | protected        | False
    >                          |
    > | schema           | /v2/schemas/image
    >                          |
    > | size             | None
    >                          |
    > | status           | queued
    >                          |
    > | tags             |
    >                          |
    > | updated_at       | 2018-10-18T22:17:41Z
    >                          |
    > | virtual_size     | None
    >                          |
    > | visibility       | private
    >                          |
    > +------------------+------------------------------------------------------------------------------+
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    > +--------------------------------------+--------+--------+
    > $ export OS_USERNAME=user2
    > $ export OS_PROJECT_NAME=project2
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > +--------------------------------------+--------+--------+
    > $ export OS_USERNAME=admin
    > $ export OS_PROJECT_NAME=admin
    > $ export OS_PASSWORD=xxx
    > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    > $ export OS_USERNAME=user2
    > $ export OS_PROJECT_NAME=project2
    > $ export OS_PASSWORD=foo
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    > +--------------------------------------+--------+--------+
    > $
    >
    >
    > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.] wrote:
    >> openstack user create --domain default --password xxxxxxxx --project-domain
    >> ndc --project test mike
    >>
    >>
    >> openstack role add --user mike --user-domain default --project test user
    >>
    >> my admin account is in the NDC domain with a different username.
    >>
    >>
    >>
    >> /etc/glance/policy.json
    >> {
    >>
    >> "context_is_admin":  "role:admin",
    >> "default": "role:admin",
    >>
    >> <snip>
    >>
    >>
    >> I'm not terribly familiar with the policies but I feel like that default
    >> line is making everyone an admin by default?
    >>
    >>
    >> Mike Moore, M.S.S.E.
    >>
    >> Systems Engineer, Goddard Private Cloud
    >> [hidden email]
    >>
    >> Hydrogen fusion brightens my day.
    >>
    >>
    >> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
    >>
    >>
    >> I suspect that your non-admin user is not really non-admin. How did you
    >> create it?
    >>
    >> What you have for "context_is_admin" in glance's policy.json ?
    >>
    >>  ~iain
    >>
    >>
    >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >> INTEGRA, INC.] wrote:
    >>> I have replicated this unexpected behavior in a Pike test environment, in
    >>> addition to our Queens environment.
    >>>
    >>>
    >>>
    >>> Mike Moore, M.S.S.E.
    >>>
    >>> Systems Engineer, Goddard Private Cloud
    >>> [hidden email]
    >>>
    >>> Hydrogen fusion brightens my day.
    >>>
    >>>
    >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
    >>> INC.]" <[hidden email]> wrote:
    >>>
    >>>    Yes. I verified it by creating a non-admin user in a different tenant. I
    >>>    created a new image, set to private with the project defined as our admin
    >>>    tenant.
    >>>
    >>>    In the database I can see that the image is 'private' and the owner is the
    >>>    ID of the admin tenant.
    >>>
    >>>    Mike Moore, M.S.S.E.
    >>>
    >>>    Systems Engineer, Goddard Private Cloud
    >>>    [hidden email]
    >>>
    >>>    Hydrogen fusion brightens my day.
    >>>
    >>>
    >>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >>>
    >>>
    >>>
    >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>>        INTEGRA, INC.] wrote:
    >>>        > I’m seeing unexpected behavior in our Queens environment related to
    >>>        > Glance image visibility. Specifically users who, based on my
    >>>        > understanding of the visibility and ownership fields, should NOT be able
    >>>        > to see or view the image.
    >>>        >
    >>>        > If I create a new image with openstack image create and specify –project
    >>>        > <tenant> and –private a non-admin user in a different tenant can see and
    >>>        > boot that image.
    >>>        >
    >>>        > That seems to be the opposite of what should happen. Any ideas?
    >>>
    >>>        Yep, something's not right there.
    >>>
    >>>        Are you sure that the user that can see the image doesn't have the admin
    >>>        role (for the project in its keystone token) ?
    >>>
    >>>        Did you verify that the image's owner is what you intended, and that the
    >>>        visibility really is "private" ?
    >>>
    >>>             ~iain
    >>>
    >>>        _______________________________________________
    >>>        OpenStack-operators mailing list
    >>>        [hidden email]
    >>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>>
    >>>
    >>>    _______________________________________________
    >>>    OpenStack-operators mailing list
    >>>    [hidden email]
    >>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >
    > _______________________________________________
    > OpenStack-operators mailing list
    > [hidden email]
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   
   
   
   

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]

For reference, here is our full glance policy.json


{
    "context_is_admin":  "role:admin",
    "default": "role:admin",

    "add_image": "",
    "delete_image": "",
    "get_image": "",
    "get_images": "",
    "modify_image": "",
    "publicize_image": "role:admin",
    "communitize_image": "",
    "copy_from": "",

    "download_image": "",
    "upload_image": "",

    "delete_image_location": "",
    "get_image_location": "",
    "set_image_location": "",

    "add_member": "",
    "delete_member": "",
    "get_member": "",
    "get_members": "",
    "modify_member": "",

    "manage_image_cache": "role:admin",

    "get_task": "",
    "get_tasks": "",
    "add_task": "",
    "modify_task": "",
    "tasks_api_access": "role:admin",

    "deactivate": "",
    "reactivate": "",

    "get_metadef_namespace": "",
    "get_metadef_namespaces":"",
    "modify_metadef_namespace":"",
    "add_metadef_namespace":"",

    "get_metadef_object":"",
    "get_metadef_objects":"",
    "modify_metadef_object":"",
    "add_metadef_object":"",

    "list_metadef_resource_types":"",
    "get_metadef_resource_type":"",
    "add_metadef_resource_type_association":"",

    "get_metadef_property":"",
    "get_metadef_properties":"",
    "modify_metadef_property":"",
    "add_metadef_property":"",

    "get_metadef_tag":"",
    "get_metadef_tags":"",
    "modify_metadef_tag":"",
    "add_metadef_tag":"",
    "add_metadef_tags":""

}


Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:

    Our NDC domain is LDAP backed. Default is not.
   
    Our keystone policy.json file is empty {}
   
   
   
    Mike Moore, M.S.S.E.
     
    Systems Engineer, Goddard Private Cloud
    [hidden email]
     
    Hydrogen fusion brightens my day.
     
   
    On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
   
        We are using multiple keystone domains - still can't reproduce this.
       
        Do you happen to have a customized keystone policy.json?
       
        Worst case, I would launch a devstack of your targeted release.  If you
        can't reproduce the issue there, you would at least know its caused by a
        nonstandard config rather than a bug (or at least not a bug that's present
        when using a default config)
       
        On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
        wrote:
       
        > That all looks fine.
        >
        > I believe that the "default" policy applies in place of any that's not
        > explicitly specified - i.e. "if there's no matching policy below, you
        > need to have the admin role to be able to do it". I do have that line in
        > my policy.json, and I cannot reproduce your problem (see below).
        >
        > I'm not using domains (other than "default"). I wonder if that's a factor...
        >
        >     ~iain
        >
        >
        > $ openstack user create --password foo user1
        > +---------------------+----------------------------------+
        > | Field               | Value                            |
        > +---------------------+----------------------------------+
        > | domain_id           | default                          |
        > | enabled             | True                             |
        > | id                  | d18c0031ec56430499a2d690cb1f125c |
        > | name                | user1                            |
        > | options             | {}                               |
        > | password_expires_at | None                             |
        > +---------------------+----------------------------------+
        > $ openstack user create --password foo user2
        > +---------------------+----------------------------------+
        > | Field               | Value                            |
        > +---------------------+----------------------------------+
        > | domain_id           | default                          |
        > | enabled             | True                             |
        > | id                  | be9f1061a5104abd834eabe98dff055d |
        > | name                | user2                            |
        > | options             | {}                               |
        > | password_expires_at | None                             |
        > +---------------------+----------------------------------+
        > $ openstack project create project1
        > +-------------+----------------------------------+
        > | Field       | Value                            |
        > +-------------+----------------------------------+
        > | description |                                  |
        > | domain_id   | default                          |
        > | enabled     | True                             |
        > | id          | 826876d6d3724018bae6253c7f540cb3 |
        > | is_domain   | False                            |
        > | name        | project1                         |
        > | parent_id   | default                          |
        > | tags        | []                               |
        > +-------------+----------------------------------+
        > $ openstack project create project2
        > +-------------+----------------------------------+
        > | Field       | Value                            |
        > +-------------+----------------------------------+
        > | description |                                  |
        > | domain_id   | default                          |
        > | enabled     | True                             |
        > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
        > | is_domain   | False                            |
        > | name        | project2                         |
        > | parent_id   | default                          |
        > | tags        | []                               |
        > +-------------+----------------------------------+
        > $ openstack role add --user user1 --project project1 _member_
        > $ openstack role add --user user2 --project project2 _member_
        > $ export OS_PASSWORD=foo
        > $ export OS_USERNAME=user1
        > $ export OS_PROJECT_NAME=project1
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > +--------------------------------------+--------+--------+
        > $ openstack image create --private image1
        > +------------------+------------------------------------------------------------------------------+
        > | Field            | Value
        >                          |
        > +------------------+------------------------------------------------------------------------------+
        > | checksum         | None
        >                          |
        > | container_format | bare
        >                          |
        > | created_at       | 2018-10-18T22:17:41Z
        >                          |
        > | disk_format      | raw
        >                          |
        > | file             |
        > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
        >     |
        > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
        >                          |
        > | min_disk         | 0
        >                          |
        > | min_ram          | 0
        >                          |
        > | name             | image1
        >                          |
        > | owner            | 826876d6d3724018bae6253c7f540cb3
        >                          |
        > | properties       | locations='[]', os_hash_algo='None',
        > os_hash_value='None', os_hidden='False' |
        > | protected        | False
        >                          |
        > | schema           | /v2/schemas/image
        >                          |
        > | size             | None
        >                          |
        > | status           | queued
        >                          |
        > | tags             |
        >                          |
        > | updated_at       | 2018-10-18T22:17:41Z
        >                          |
        > | virtual_size     | None
        >                          |
        > | visibility       | private
        >                          |
        > +------------------+------------------------------------------------------------------------------+
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
        > +--------------------------------------+--------+--------+
        > $ export OS_USERNAME=user2
        > $ export OS_PROJECT_NAME=project2
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > +--------------------------------------+--------+--------+
        > $ export OS_USERNAME=admin
        > $ export OS_PROJECT_NAME=admin
        > $ export OS_PASSWORD=xxx
        > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
        > $ export OS_USERNAME=user2
        > $ export OS_PROJECT_NAME=project2
        > $ export OS_PASSWORD=foo
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
        > +--------------------------------------+--------+--------+
        > $
        >
        >
        > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        > INTEGRA, INC.] wrote:
        >> openstack user create --domain default --password xxxxxxxx --project-domain
        >> ndc --project test mike
        >>
        >>
        >> openstack role add --user mike --user-domain default --project test user
        >>
        >> my admin account is in the NDC domain with a different username.
        >>
        >>
        >>
        >> /etc/glance/policy.json
        >> {
        >>
        >> "context_is_admin":  "role:admin",
        >> "default": "role:admin",
        >>
        >> <snip>
        >>
        >>
        >> I'm not terribly familiar with the policies but I feel like that default
        >> line is making everyone an admin by default?
        >>
        >>
        >> Mike Moore, M.S.S.E.
        >>
        >> Systems Engineer, Goddard Private Cloud
        >> [hidden email]
        >>
        >> Hydrogen fusion brightens my day.
        >>
        >>
        >> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
        >>
        >>
        >> I suspect that your non-admin user is not really non-admin. How did you
        >> create it?
        >>
        >> What you have for "context_is_admin" in glance's policy.json ?
        >>
        >>  ~iain
        >>
        >>
        >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        >> INTEGRA, INC.] wrote:
        >>> I have replicated this unexpected behavior in a Pike test environment, in
        >>> addition to our Queens environment.
        >>>
        >>>
        >>>
        >>> Mike Moore, M.S.S.E.
        >>>
        >>> Systems Engineer, Goddard Private Cloud
        >>> [hidden email]
        >>>
        >>> Hydrogen fusion brightens my day.
        >>>
        >>>
        >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
        >>> INC.]" <[hidden email]> wrote:
        >>>
        >>>    Yes. I verified it by creating a non-admin user in a different tenant. I
        >>>    created a new image, set to private with the project defined as our admin
        >>>    tenant.
        >>>
        >>>    In the database I can see that the image is 'private' and the owner is the
        >>>    ID of the admin tenant.
        >>>
        >>>    Mike Moore, M.S.S.E.
        >>>
        >>>    Systems Engineer, Goddard Private Cloud
        >>>    [hidden email]
        >>>
        >>>    Hydrogen fusion brightens my day.
        >>>
        >>>
        >>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
        >>>
        >>>
        >>>
        >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        >>>        INTEGRA, INC.] wrote:
        >>>        > I’m seeing unexpected behavior in our Queens environment related to
        >>>        > Glance image visibility. Specifically users who, based on my
        >>>        > understanding of the visibility and ownership fields, should NOT be able
        >>>        > to see or view the image.
        >>>        >
        >>>        > If I create a new image with openstack image create and specify –project
        >>>        > <tenant> and –private a non-admin user in a different tenant can see and
        >>>        > boot that image.
        >>>        >
        >>>        > That seems to be the opposite of what should happen. Any ideas?
        >>>
        >>>        Yep, something's not right there.
        >>>
        >>>        Are you sure that the user that can see the image doesn't have the admin
        >>>        role (for the project in its keystone token) ?
        >>>
        >>>        Did you verify that the image's owner is what you intended, and that the
        >>>        visibility really is "private" ?
        >>>
        >>>             ~iain
        >>>
        >>>        _______________________________________________
        >>>        OpenStack-operators mailing list
        >>>        [hidden email]
        >>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
        >>>
        >>>
        >>>    _______________________________________________
        >>>    OpenStack-operators mailing list
        >>>    [hidden email]
        >>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
        >
        > _______________________________________________
        > OpenStack-operators mailing list
        > [hidden email]
        > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
       
       
       
       
   
    _______________________________________________
    OpenStack-operators mailing list
    [hidden email]
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
In reply to this post by Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]

We have submitted a bug for this

 

https://bugs.launchpad.net/glance/+bug/1799588

 

 

 

Mike Moore, M.S.S.E.

 

Systems Engineer, Goddard Private Cloud

[hidden email]

 

Hydrogen fusion brightens my day.

 

 

From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]>
Date: Saturday, October 20, 2018 at 7:22 PM
To: Logan Hicks <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [Openstack-operators] OpenStack-operators Digest, Vol 96, Issue 7

 

 

 

 

The images exist and are bootable. I'm going to trace through the actual code for glance API. Any suggestions on where the show/hide logic is when it filters responses? I'm new to digging through OpenStack code.

 

 


From: Logan Hicks [[hidden email]]
Sent: Friday, October 19, 2018 8:00 PM
To: [hidden email]
Subject: Re: [Openstack-operators] OpenStack-operators Digest, Vol 96, Issue 7

Re: Glance Image Visibility Issue? - Non  admin users can see
      private images from other tenants (Chris Apsey)

 

I noticed that the image says queued. If Im not mistaken, an image cant have permissions applied until after the image is created, which might explain the issue hes seeing.

 

The object doesnt exist until its made by openstack.

 

Id check to see if something is holding up images being made. Id start with glance.

 

 

 

Respectfully,

 

Logan Hicks

 

-------- Original message --------

Date: 10/19/18 7:49 PM (GMT-05:00)

Subject: OpenStack-operators Digest, Vol 96, Issue 7

 

Send OpenStack-operators mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OpenStack-operators digest..."


Today's Topics:

   1. [nova] Removing the CachingScheduler (Matt Riedemann)
   2. Re: Glance Image Visibility Issue? - Non admin users can see
      private images from other tenants
      (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
   3. Re: Glance Image Visibility Issue? - Non  admin users can see
      private images from other tenants (Chris Apsey)
   4. Re: Glance Image Visibility Issue? - Non admin users can see
      private images from other tenants (iain MacDonnell)
   5. Re: Glance Image Visibility Issue? - Non admin users can see
      private images from other tenants
      (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
   6. Re: Glance Image Visibility Issue? - Non admin users can see
      private images from other tenants (iain MacDonnell)
   7. Re: Glance Image Visibility Issue? - Non  admin users can see
      private images from other tenants (Chris Apsey)
   8. osops-tools-monitoring Dependency problems (Tomáš Vondra)
   9. [heat][cinder] How to create stack snapshot       including volumes
      (Christian Zunker)
  10. Fleio - OpenStack billing - ver. 1.1 released (Adrian Andreias)
  11. Re: [Openstack-sigs] [all] Naming the T   release of OpenStack
      (Tony Breeds)
  12. Re: Glance Image Visibility Issue? - Non admin users can see
      private images from other tenants
      (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
  13. Re: Glance Image Visibility Issue? - Non admin users can see
      private images from other tenants
      (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
  14. Re: Fleio - OpenStack billing - ver. 1.1 released (Jay Pipes)
  15. Re: Fleio - OpenStack billing - ver. 1.1  released (Mohammed Naser)
  16. [Octavia] SSL errors polling amphorae and missing tenant
      network interface (Erik McCormick)
  17. Re: [Octavia] SSL errors polling amphorae and missing tenant
      network interface (Gaël THEROND)


----------------------------------------------------------------------

Message: 1
Date: Thu, 18 Oct 2018 17:07:00 -0500
From: Matt Riedemann <[hidden email]>
To: "[hidden email]"
        <[hidden email]>
Subject: [Openstack-operators] [nova] Removing the CachingScheduler
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8; format=flowed

It's been deprecated since Pike, and the time has come to remove it [1].

mgagne has been the most vocal CachingScheduler operator I know and he
has tested out the "nova-manage placement heal_allocations" CLI, added
in Rocky, and said it will work for migrating his deployment from the
CachingScheduler to the FilterScheduler + Placement.

If you are using the CachingScheduler and have a problem with its
removal, now is the time to speak up or forever hold your peace.

[1] https://review.openstack.org/#/c/611723/1

--

Thanks,

Matt



------------------------------

Message: 2
Date: Thu, 18 Oct 2018 22:11:40 +0000
From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
        <[hidden email]>
To: iain MacDonnell <[hidden email]>,
        "[hidden email]"
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non admin users can see private images from other tenants
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"

I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.



Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:

    Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
   
    In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
   
    Mike Moore, M.S.S.E.
    
    Systems Engineer, Goddard Private Cloud
    [hidden email]
    
    Hydrogen fusion brightens my day.
    
   
    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
   
       
       
        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        INTEGRA, INC.] wrote:
        > I’m seeing unexpected behavior in our Queens environment related to
        > Glance image visibility. Specifically users who, based on my
        > understanding of the visibility and ownership fields, should NOT be able
        > to see or view the image.
        >
        > If I create a new image with openstack image create and specify –project
        > <tenant> and –private a non-admin user in a different tenant can see and
        > boot that image.
        >
        > That seems to be the opposite of what should happen. Any ideas?
       
        Yep, something's not right there.
       
        Are you sure that the user that can see the image doesn't have the admin
        role (for the project in its keystone token) ?
       
        Did you verify that the image's owner is what you intended, and that the
        visibility really is "private" ?
       
             ~iain
       
        _______________________________________________
        OpenStack-operators mailing list
        [hidden email]
        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
       
   
    _______________________________________________
    OpenStack-operators mailing list
    [hidden email]
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   


------------------------------

Message: 3
Date: Thu, 18 Oct 2018 18:23:35 -0400
From: Chris Apsey <[hidden email]>
To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
        <[hidden email]>, iain MacDonnell
        <[hidden email]>,
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non     admin users can see private images from other tenants
Message-ID:
        <[hidden email]>
Content-Type: text/plain; format=flowed; charset="UTF-8"

Do you have a liberal/custom policy.json that perhaps is causing unexpected
behavior?  Can't seem to reproduce this.

On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.]" <[hidden email]> wrote:

> I have replicated this unexpected behavior in a Pike test environment, in
> addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
> INC.]" <[hidden email]> wrote:
>
>    Yes. I verified it by creating a non-admin user in a different tenant. I
>    created a new image, set to private with the project defined as our admin
>    tenant.
>
>    In the database I can see that the image is 'private' and the owner is the
>    ID of the admin tenant.
>
>    Mike Moore, M.S.S.E.
>
>    Systems Engineer, Goddard Private Cloud
>    [hidden email]
>
>    Hydrogen fusion brightens my day.
>
>
>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>
>
>
>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>        INTEGRA, INC.] wrote:
>> I’m seeing unexpected behavior in our Queens environment related to
>> Glance image visibility. Specifically users who, based on my
>> understanding of the visibility and ownership fields, should NOT be able
>> to see or view the image.
>>
>> If I create a new image with openstack image create and specify –project
>> <tenant> and –private a non-admin user in a different tenant can see and
>> boot that image.
>>
>> That seems to be the opposite of what should happen. Any ideas?
>
>        Yep, something's not right there.
>
>        Are you sure that the user that can see the image doesn't have the admin
>        role (for the project in its keystone token) ?
>
>        Did you verify that the image's owner is what you intended, and that the
>        visibility really is "private" ?
>
>             ~iain
>
>        _______________________________________________
>        OpenStack-operators mailing list
>        [hidden email]
>        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>    _______________________________________________
>    OpenStack-operators mailing list
>    [hidden email]
>    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators






------------------------------

Message: 4
Date: Thu, 18 Oct 2018 15:25:22 -0700
From: iain MacDonnell <[hidden email]>
To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
        <[hidden email]>, "[hidden email]"
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non admin users can see private images from other tenants
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8; format=flowed


I suspect that your non-admin user is not really non-admin. How did you
create it?

What you have for "context_is_admin" in glance's policy.json ?

     ~iain


On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:
> I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>  
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>  
> Hydrogen fusion brightens my day.
>  
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>
>      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>     
>      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>     
>      Mike Moore, M.S.S.E.
>      
>      Systems Engineer, Goddard Private Cloud
>      [hidden email]
>      
>      Hydrogen fusion brightens my day.
>      
>     
>      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>     
>         
>         
>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>          INTEGRA, INC.] wrote:
>          > I’m seeing unexpected behavior in our Queens environment related to
>          > Glance image visibility. Specifically users who, based on my
>          > understanding of the visibility and ownership fields, should NOT be able
>          > to see or view the image.
>          >
>          > If I create a new image with openstack image create and specify –project
>          > <tenant> and –private a non-admin user in a different tenant can see and
>          > boot that image.
>          >
>          > That seems to be the opposite of what should happen. Any ideas?
>         
>          Yep, something's not right there.
>         
>          Are you sure that the user that can see the image doesn't have the admin
>          role (for the project in its keystone token) ?
>         
>          Did you verify that the image's owner is what you intended, and that the
>          visibility really is "private" ?
>         
>               ~iain
>         
>          _______________________________________________
>          OpenStack-operators mailing list
>          [hidden email]
>          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>         
>     
>      _______________________________________________
>      OpenStack-operators mailing list
>      [hidden email]
>      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>     
>



------------------------------

Message: 5
Date: Thu, 18 Oct 2018 22:32:42 +0000
From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
        <[hidden email]>
To: iain MacDonnell <[hidden email]>,
        "[hidden email]"
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non admin users can see private images from other tenants
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"

openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike


openstack role add --user mike --user-domain default --project test user

my admin account is in the NDC domain with a different username.



/etc/glance/policy.json
{

"context_is_admin":  "role:admin",
"default": "role:admin",

<snip>


I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?


Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:

   
    I suspect that your non-admin user is not really non-admin. How did you
    create it?
   
    What you have for "context_is_admin" in glance's policy.json ?
   
         ~iain
   
   
    On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    INTEGRA, INC.] wrote:
    > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
    >
    >
    >
    > Mike Moore, M.S.S.E.
    >  
    > Systems Engineer, Goddard Private Cloud
    > [hidden email]
    >  
    > Hydrogen fusion brightens my day.
    >  
    >
    > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
    >
    >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
    >     
    >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
    >     
    >      Mike Moore, M.S.S.E.
    >      
    >      Systems Engineer, Goddard Private Cloud
    >      [hidden email]
    >      
    >      Hydrogen fusion brightens my day.
    >      
    >     
    >      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >     
    >         
    >         
    >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >          INTEGRA, INC.] wrote:
    >          > I’m seeing unexpected behavior in our Queens environment related to
    >          > Glance image visibility. Specifically users who, based on my
    >          > understanding of the visibility and ownership fields, should NOT be able
    >          > to see or view the image.
    >          >
    >          > If I create a new image with openstack image create and specify –project
    >          > <tenant> and –private a non-admin user in a different tenant can see and
    >          > boot that image.
    >          >
    >          > That seems to be the opposite of what should happen. Any ideas?
    >         
    >          Yep, something's not right there.
    >         
    >          Are you sure that the user that can see the image doesn't have the admin
    >          role (for the project in its keystone token) ?
    >         
    >          Did you verify that the image's owner is what you intended, and that the
    >          visibility really is "private" ?
    >         
    >               ~iain
    >         
    >          _______________________________________________
    >          OpenStack-operators mailing list
    >          [hidden email]
    >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >         
    >     
    >      _______________________________________________
    >      OpenStack-operators mailing list
    >      [hidden email]
    >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >     
    >
   


------------------------------

Message: 6
Date: Thu, 18 Oct 2018 15:48:27 -0700
From: iain MacDonnell <[hidden email]>
To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
        <[hidden email]>, "[hidden email]"
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non admin users can see private images from other tenants
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8; format=flowed


That all looks fine.

I believe that the "default" policy applies in place of any that's not
explicitly specified - i.e. "if there's no matching policy below, you
need to have the admin role to be able to do it". I do have that line in
my policy.json, and I cannot reproduce your problem (see below).

I'm not using domains (other than "default"). I wonder if that's a factor...

     ~iain


$ openstack user create --password foo user1
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | d18c0031ec56430499a2d690cb1f125c |
| name                | user1                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
$ openstack user create --password foo user2
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | be9f1061a5104abd834eabe98dff055d |
| name                | user2                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
$ openstack project create project1
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 826876d6d3724018bae6253c7f540cb3 |
| is_domain   | False                            |
| name        | project1                         |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+
$ openstack project create project2
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | b446b93ac6e24d538c1943acbdd13cb2 |
| is_domain   | False                            |
| name        | project2                         |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+
$ openstack role add --user user1 --project project1 _member_
$ openstack role add --user user2 --project project2 _member_
$ export OS_PASSWORD=foo
$ export OS_USERNAME=user1
$ export OS_PROJECT_NAME=project1
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--------------------------------------+--------+--------+
$ openstack image create --private image1
+------------------+------------------------------------------------------------------------------+
| Field            | Value
                          |
+------------------+------------------------------------------------------------------------------+
| checksum         | None
                          |
| container_format | bare
                          |
| created_at       | 2018-10-18T22:17:41Z
                          |
| disk_format      | raw
                          |
| file             |
/v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
     |
| id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
                          |
| min_disk         | 0
                          |
| min_ram          | 0
                          |
| name             | image1
                          |
| owner            | 826876d6d3724018bae6253c7f540cb3
                          |
| properties       | locations='[]', os_hash_algo='None',
os_hash_value='None', os_hidden='False' |
| protected        | False
                          |
| schema           | /v2/schemas/image
                          |
| size             | None
                          |
| status           | queued
                          |
| tags             |
                          |
| updated_at       | 2018-10-18T22:17:41Z
                          |
| virtual_size     | None
                          |
| visibility       | private
                          |
+------------------+------------------------------------------------------------------------------+
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
| 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
+--------------------------------------+--------+--------+
$ export OS_USERNAME=user2
$ export OS_PROJECT_NAME=project2
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
+--------------------------------------+--------+--------+
$ export OS_USERNAME=admin
$ export OS_PROJECT_NAME=admin
$ export OS_PASSWORD=xxx
$ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
$ export OS_USERNAME=user2
$ export OS_PROJECT_NAME=project2
$ export OS_PASSWORD=foo
$ openstack image list
+--------------------------------------+--------+--------+
| ID                                   | Name   | Status |
+--------------------------------------+--------+--------+
| ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
| 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
+--------------------------------------+--------+--------+
$


On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:
> openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
>
>
> openstack role add --user mike --user-domain default --project test user
>
> my admin account is in the NDC domain with a different username.
>
>
>
> /etc/glance/policy.json
> {
>
> "context_is_admin":  "role:admin",
> "default": "role:admin",
>
> <snip>
>
>
> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?
>
>
> Mike Moore, M.S.S.E.
>  
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>  
> Hydrogen fusion brightens my day.
>  
>
> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>
>     
>      I suspect that your non-admin user is not really non-admin. How did you
>      create it?
>     
>      What you have for "context_is_admin" in glance's policy.json ?
>     
>           ~iain
>     
>     
>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      INTEGRA, INC.] wrote:
>      > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>      >
>      >
>      >
>      > Mike Moore, M.S.S.E.
>      >
>      > Systems Engineer, Goddard Private Cloud
>      > [hidden email]
>      >
>      > Hydrogen fusion brightens my day.
>      >
>      >
>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>      >
>      >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>      >
>      >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>      >
>      >      Mike Moore, M.S.S.E.
>      >
>      >      Systems Engineer, Goddard Private Cloud
>      >      [hidden email]
>      >
>      >      Hydrogen fusion brightens my day.
>      >
>      >
>      >      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>      >
>      >
>      >
>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      >          INTEGRA, INC.] wrote:
>      >          > I’m seeing unexpected behavior in our Queens environment related to
>      >          > Glance image visibility. Specifically users who, based on my
>      >          > understanding of the visibility and ownership fields, should NOT be able
>      >          > to see or view the image.
>      >          >
>      >          > If I create a new image with openstack image create and specify –project
>      >          > <tenant> and –private a non-admin user in a different tenant can see and
>      >          > boot that image.
>      >          >
>      >          > That seems to be the opposite of what should happen. Any ideas?
>      >
>      >          Yep, something's not right there.
>      >
>      >          Are you sure that the user that can see the image doesn't have the admin
>      >          role (for the project in its keystone token) ?
>      >
>      >          Did you verify that the image's owner is what you intended, and that the
>      >          visibility really is "private" ?
>      >
>      >               ~iain
>      >
>      >          _______________________________________________
>      >          OpenStack-operators mailing list
>      >          [hidden email]
>      >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>      >      _______________________________________________
>      >      OpenStack-operators mailing list
>      >      [hidden email]
>      >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>     
>



------------------------------

Message: 7
Date: Thu, 18 Oct 2018 19:23:42 -0400
From: Chris Apsey <[hidden email]>
To: iain MacDonnell <[hidden email]>, "Moore, Michael Dane
        (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]>,
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non     admin users can see private images from other tenants
Message-ID:
        <[hidden email]>
Content-Type: text/plain; format=flowed; charset="UTF-8"

We are using multiple keystone domains - still can't reproduce this.

Do you happen to have a customized keystone policy.json?

Worst case, I would launch a devstack of your targeted release.  If you
can't reproduce the issue there, you would at least know its caused by a
nonstandard config rather than a bug (or at least not a bug that's present
when using a default config)

On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
wrote:

> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a factor...
>
>     ~iain
>
>
> $ openstack user create --password foo user1
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | d18c0031ec56430499a2d690cb1f125c |
> | name                | user1                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack user create --password foo user2
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | be9f1061a5104abd834eabe98dff055d |
> | name                | user2                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack project create project1
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | 826876d6d3724018bae6253c7f540cb3 |
> | is_domain   | False                            |
> | name        | project1                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack project create project2
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> | is_domain   | False                            |
> | name        | project2                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack role add --user user1 --project project1 _member_
> $ openstack role add --user user2 --project project2 _member_
> $ export OS_PASSWORD=foo
> $ export OS_USERNAME=user1
> $ export OS_PROJECT_NAME=project1
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ openstack image create --private image1
> +------------------+------------------------------------------------------------------------------+
> | Field            | Value
>                          |
> +------------------+------------------------------------------------------------------------------+
> | checksum         | None
>                          |
> | container_format | bare
>                          |
> | created_at       | 2018-10-18T22:17:41Z
>                          |
> | disk_format      | raw
>                          |
> | file             |
> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>     |
> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>                          |
> | min_disk         | 0
>                          |
> | min_ram          | 0
>                          |
> | name             | image1
>                          |
> | owner            | 826876d6d3724018bae6253c7f540cb3
>                          |
> | properties       | locations='[]', os_hash_algo='None',
> os_hash_value='None', os_hidden='False' |
> | protected        | False
>                          |
> | schema           | /v2/schemas/image
>                          |
> | size             | None
>                          |
> | status           | queued
>                          |
> | tags             |
>                          |
> | updated_at       | 2018-10-18T22:17:41Z
>                          |
> | virtual_size     | None
>                          |
> | visibility       | private
>                          |
> +------------------+------------------------------------------------------------------------------+
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=admin
> $ export OS_PROJECT_NAME=admin
> $ export OS_PASSWORD=xxx
> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ export OS_PASSWORD=foo
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $
>
>
> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> openstack user create --domain default --password xxxxxxxx --project-domain
>> ndc --project test mike
>>
>>
>> openstack role add --user mike --user-domain default --project test user
>>
>> my admin account is in the NDC domain with a different username.
>>
>>
>>
>> /etc/glance/policy.json
>> {
>>
>> "context_is_admin":  "role:admin",
>> "default": "role:admin",
>>
>> <snip>
>>
>>
>> I'm not terribly familiar with the policies but I feel like that default
>> line is making everyone an admin by default?
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>>
>>
>> I suspect that your non-admin user is not really non-admin. How did you
>> create it?
>>
>> What you have for "context_is_admin" in glance's policy.json ?
>>
>>  ~iain
>>
>>
>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>>> I have replicated this unexpected behavior in a Pike test environment, in
>>> addition to our Queens environment.
>>>
>>>
>>>
>>> Mike Moore, M.S.S.E.
>>>
>>> Systems Engineer, Goddard Private Cloud
>>> [hidden email]
>>>
>>> Hydrogen fusion brightens my day.
>>>
>>>
>>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>>> INC.]" <[hidden email]> wrote:
>>>
>>>    Yes. I verified it by creating a non-admin user in a different tenant. I
>>>    created a new image, set to private with the project defined as our admin
>>>    tenant.
>>>
>>>    In the database I can see that the image is 'private' and the owner is the
>>>    ID of the admin tenant.
>>>
>>>    Mike Moore, M.S.S.E.
>>>
>>>    Systems Engineer, Goddard Private Cloud
>>>    [hidden email]
>>>
>>>    Hydrogen fusion brightens my day.
>>>
>>>
>>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>>
>>>
>>>
>>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>>        INTEGRA, INC.] wrote:
>>>        > I’m seeing unexpected behavior in our Queens environment related to
>>>        > Glance image visibility. Specifically users who, based on my
>>>        > understanding of the visibility and ownership fields, should NOT be able
>>>        > to see or view the image.
>>>        >
>>>        > If I create a new image with openstack image create and specify –project
>>>        > <tenant> and –private a non-admin user in a different tenant can see and
>>>        > boot that image.
>>>        >
>>>        > That seems to be the opposite of what should happen. Any ideas?
>>>
>>>        Yep, something's not right there.
>>>
>>>        Are you sure that the user that can see the image doesn't have the admin
>>>        role (for the project in its keystone token) ?
>>>
>>>        Did you verify that the image's owner is what you intended, and that the
>>>        visibility really is "private" ?
>>>
>>>             ~iain
>>>
>>>        _______________________________________________
>>>        OpenStack-operators mailing list
>>>        [hidden email]
>>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>>
>>>
>>>    _______________________________________________
>>>    OpenStack-operators mailing list
>>>    [hidden email]
>>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators






------------------------------

Message: 8
Date: Fri, 19 Oct 2018 10:58:30 +0200
From: Tomáš Vondra <[hidden email]>
To: <[hidden email]>
Subject: [Openstack-operators] osops-tools-monitoring Dependency
        problems
Message-ID: <049e01d46789$e8bf5220$ba3df660$@homeatcloud.cz>
Content-Type: text/plain;       charset="iso-8859-2"

Hi!
I'm a long time user of monitoring-for-openstack, also known as oschecks.
Concretely, I used a version from 2015 with OpenStack python client
libraries from Kilo. Now I have upgraded them to Mitaka and it got broken.
Even the latest oschecks don't work. I didn't quite expect that, given that
there are several commits from this year e.g. by Nagasai Vinaykumar
Kapalavai and paramite. Can one of them or some other user step up and say
what version of OpenStack clients is oschecks working with? Ideally, write
it down in requirements.txt so that it will be reproducible? Also, some
documentation of what is the minimal set of parameters would also come in
handy.
Thanks a lot, Tomas from Homeatcloud

The error messages are as absurd as:
oschecks-check_glance_api --os_auth_url='http://10.1.101.30:5000/v2.0'
--os_username=monitoring --os_password=XXX --os_tenant_name=monitoring

CRITICAL: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 121, in
safe_run
    method()
  File "/usr/lib/python2.7/dist-packages/oschecks/glance.py", line 29, in
_check_glance_api
    glance = utils.Glance()
  File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 177, in
__init__
    self.glance.parser = self.glance.get_base_parser(sys.argv)
TypeError: get_base_parser() takes exactly 1 argument (2 given)

(I can see 4 parameters on the command line.)




------------------------------

Message: 9
Date: Fri, 19 Oct 2018 11:21:25 +0200
From: Christian Zunker <[hidden email]>
To: openstack-operators <[hidden email]>
Subject: [Openstack-operators] [heat][cinder] How to create stack
        snapshot        including volumes
Message-ID:
        <CAHS=D_ZGow+hSPuiicq6z0UrRCb3DxC4hf425uY7+5+Rt+-[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hi List,

I'd like to take snapshots of heat stacks including the volumes.
>From what I found until now, this should be possible. You just have to
configure some parts of OpenStack.

I enabled cinder-backup with ceph backend. Backups from volumes are working.
I configured heat to include the option backups_enabled = True.

When I use openstack stack snapshot create, I get a snapshot but no backups
of my volumes. I don't get any error messages in heat. Debug logging didn't
help either.

OpenStack version is Pike on Ubuntu installed with openstack-ansible.
heat version is 9.0.3. So this should also include this bugfix:
https://bugs.launchpad.net/heat/+bug/1687006

Is anybody using this feature? What am I missing?

Best regards
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/bb7dd81b/attachment-0001.html>

------------------------------

Message: 10
Date: Fri, 19 Oct 2018 12:42:00 +0300
From: Adrian Andreias <[hidden email]>
To: [hidden email]
Subject: [Openstack-operators] Fleio - OpenStack billing - ver. 1.1
        released
Message-ID:
        <CACp-FE3gEP=nwXRtwy-H13qXrnhPa5bn0uWiukxWp=[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hello,

We've just released Fleio version 1.1.

Fleio is a billing solution and control panel for OpenStack public clouds
and traditional web hosters.

Fleio software automates the entire process for cloud users. New customers
can use Fleio to sign up for an account, pay invoices, add credit to their
account, as well as create and manage cloud resources such as virtual
machines, storage and networking.

Full feature list:
https://fleio.com#features

You can see an online demo:
https://fleio.com/demo

And sign-up for a free trial:
https://fleio.com/signup



Cheers!

- Adrian Andreias
https://fleio.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/3031e47f/attachment-0001.html>

------------------------------

Message: 11
Date: Fri, 19 Oct 2018 20:54:29 +1100
From: Tony Breeds <[hidden email]>
To: OpenStack Development <[hidden email]>,
        OpenStack SIGs <[hidden email]>, OpenStack
        Operators <[hidden email]>
Subject: Re: [Openstack-operators] [Openstack-sigs] [all] Naming the T
        release of OpenStack
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"

On Thu, Oct 18, 2018 at 05:35:39PM +1100, Tony Breeds wrote:
> Hello all,
>     As per [1] the nomination period for names for the T release have
> now closed (actually 3 days ago sorry).  The nominated names and any
> qualifying remarks can be seen at2].
>
> Proposed Names
>  * Tarryall
>  * Teakettle
>  * Teller
>  * Telluride
>  * Thomas
>  * Thornton
>  * Tiger
>  * Tincup
>  * Timnath
>  * Timber
>  * Tiny Town
>  * Torreys
>  * Trail
>  * Trinidad
>  * Treasure
>  * Troublesome
>  * Trussville
>  * Turret
>  * Tyrone
>
> Proposed Names that do not meet the criteria
>  * Train

I have re-worked my openstack/governance change[1] to ask the TC to accept
adding Train to the poll as (partially) described in [2].

I present the names above to the community and Foundation marketing team
for consideration.  The list above does contain Train, clearly if the TC
do not approve [1] Train will not be included in the poll when created.

I apologise for any offence or slight caused by my previous email in
this thread.  It was well intentioned albeit, with hindsight, poorly
thought through.

Yours Tony.

[1] https://review.openstack.org/#/c/611511/
[2] https://governance.openstack.org/tc/reference/release-naming.html#release-name-criteria
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/49c95d5d/attachment-0001.sig>

------------------------------

Message: 12
Date: Fri, 19 Oct 2018 16:33:17 +0000
From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
        <[hidden email]>
To: Chris Apsey <[hidden email]>, iain MacDonnell
        <[hidden email]>,
        "[hidden email]"
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non admin users can see private images from other tenants
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Our NDC domain is LDAP backed. Default is not.

Our keystone policy.json file is empty {}



Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:

    We are using multiple keystone domains - still can't reproduce this.
   
    Do you happen to have a customized keystone policy.json?
   
    Worst case, I would launch a devstack of your targeted release.  If you
    can't reproduce the issue there, you would at least know its caused by a
    nonstandard config rather than a bug (or at least not a bug that's present
    when using a default config)
   
    On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
    wrote:
   
    > That all looks fine.
    >
    > I believe that the "default" policy applies in place of any that's not
    > explicitly specified - i.e. "if there's no matching policy below, you
    > need to have the admin role to be able to do it". I do have that line in
    > my policy.json, and I cannot reproduce your problem (see below).
    >
    > I'm not using domains (other than "default"). I wonder if that's a factor...
    >
    >     ~iain
    >
    >
    > $ openstack user create --password foo user1
    > +---------------------+----------------------------------+
    > | Field               | Value                            |
    > +---------------------+----------------------------------+
    > | domain_id           | default                          |
    > | enabled             | True                             |
    > | id                  | d18c0031ec56430499a2d690cb1f125c |
    > | name                | user1                            |
    > | options             | {}                               |
    > | password_expires_at | None                             |
    > +---------------------+----------------------------------+
    > $ openstack user create --password foo user2
    > +---------------------+----------------------------------+
    > | Field               | Value                            |
    > +---------------------+----------------------------------+
    > | domain_id           | default                          |
    > | enabled             | True                             |
    > | id                  | be9f1061a5104abd834eabe98dff055d |
    > | name                | user2                            |
    > | options             | {}                               |
    > | password_expires_at | None                             |
    > +---------------------+----------------------------------+
    > $ openstack project create project1
    > +-------------+----------------------------------+
    > | Field       | Value                            |
    > +-------------+----------------------------------+
    > | description |                                  |
    > | domain_id   | default                          |
    > | enabled     | True                             |
    > | id          | 826876d6d3724018bae6253c7f540cb3 |
    > | is_domain   | False                            |
    > | name        | project1                         |
    > | parent_id   | default                          |
    > | tags        | []                               |
    > +-------------+----------------------------------+
    > $ openstack project create project2
    > +-------------+----------------------------------+
    > | Field       | Value                            |
    > +-------------+----------------------------------+
    > | description |                                  |
    > | domain_id   | default                          |
    > | enabled     | True                             |
    > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
    > | is_domain   | False                            |
    > | name        | project2                         |
    > | parent_id   | default                          |
    > | tags        | []                               |
    > +-------------+----------------------------------+
    > $ openstack role add --user user1 --project project1 _member_
    > $ openstack role add --user user2 --project project2 _member_
    > $ export OS_PASSWORD=foo
    > $ export OS_USERNAME=user1
    > $ export OS_PROJECT_NAME=project1
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > +--------------------------------------+--------+--------+
    > $ openstack image create --private image1
    > +------------------+------------------------------------------------------------------------------+
    > | Field            | Value
    >                          |
    > +------------------+------------------------------------------------------------------------------+
    > | checksum         | None
    >                          |
    > | container_format | bare
    >                          |
    > | created_at       | 2018-10-18T22:17:41Z
    >                          |
    > | disk_format      | raw
    >                          |
    > | file             |
    > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
    >     |
    > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >                          |
    > | min_disk         | 0
    >                          |
    > | min_ram          | 0
    >                          |
    > | name             | image1
    >                          |
    > | owner            | 826876d6d3724018bae6253c7f540cb3
    >                          |
    > | properties       | locations='[]', os_hash_algo='None',
    > os_hash_value='None', os_hidden='False' |
    > | protected        | False
    >                          |
    > | schema           | /v2/schemas/image
    >                          |
    > | size             | None
    >                          |
    > | status           | queued
    >                          |
    > | tags             |
    >                          |
    > | updated_at       | 2018-10-18T22:17:41Z
    >                          |
    > | virtual_size     | None
    >                          |
    > | visibility       | private
    >                          |
    > +------------------+------------------------------------------------------------------------------+
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    > +--------------------------------------+--------+--------+
    > $ export OS_USERNAME=user2
    > $ export OS_PROJECT_NAME=project2
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > +--------------------------------------+--------+--------+
    > $ export OS_USERNAME=admin
    > $ export OS_PROJECT_NAME=admin
    > $ export OS_PASSWORD=xxx
    > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    > $ export OS_USERNAME=user2
    > $ export OS_PROJECT_NAME=project2
    > $ export OS_PASSWORD=foo
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    > +--------------------------------------+--------+--------+
    > $
    >
    >
    > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.] wrote:
    >> openstack user create --domain default --password xxxxxxxx --project-domain
    >> ndc --project test mike
    >>
    >>
    >> openstack role add --user mike --user-domain default --project test user
    >>
    >> my admin account is in the NDC domain with a different username.
    >>
    >>
    >>
    >> /etc/glance/policy.json
    >> {
    >>
    >> "context_is_admin":  "role:admin",
    >> "default": "role:admin",
    >>
    >> <snip>
    >>
    >>
    >> I'm not terribly familiar with the policies but I feel like that default
    >> line is making everyone an admin by default?
    >>
    >>
    >> Mike Moore, M.S.S.E.
    >>
    >> Systems Engineer, Goddard Private Cloud
    >> [hidden email]
    >>
    >> Hydrogen fusion brightens my day.
    >>
    >>
    >> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
    >>
    >>
    >> I suspect that your non-admin user is not really non-admin. How did you
    >> create it?
    >>
    >> What you have for "context_is_admin" in glance's policy.json ?
    >>
    >>  ~iain
    >>
    >>
    >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >> INTEGRA, INC.] wrote:
    >>> I have replicated this unexpected behavior in a Pike test environment, in
    >>> addition to our Queens environment.
    >>>
    >>>
    >>>
    >>> Mike Moore, M.S.S.E.
    >>>
    >>> Systems Engineer, Goddard Private Cloud
    >>> [hidden email]
    >>>
    >>> Hydrogen fusion brightens my day.
    >>>
    >>>
    >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
    >>> INC.]" <[hidden email]> wrote:
    >>>
    >>>    Yes. I verified it by creating a non-admin user in a different tenant. I
    >>>    created a new image, set to private with the project defined as our admin
    >>>    tenant.
    >>>
    >>>    In the database I can see that the image is 'private' and the owner is the
    >>>    ID of the admin tenant.
    >>>
    >>>    Mike Moore, M.S.S.E.
    >>>
    >>>    Systems Engineer, Goddard Private Cloud
    >>>    [hidden email]
    >>>
    >>>    Hydrogen fusion brightens my day.
    >>>
    >>>
    >>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >>>
    >>>
    >>>
    >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>>        INTEGRA, INC.] wrote:
    >>>        > I’m seeing unexpected behavior in our Queens environment related to
    >>>        > Glance image visibility. Specifically users who, based on my
    >>>        > understanding of the visibility and ownership fields, should NOT be able
    >>>        > to see or view the image.
    >>>        >
    >>>        > If I create a new image with openstack image create and specify –project
    >>>        > <tenant> and –private a non-admin user in a different tenant can see and
    >>>        > boot that image.
    >>>        >
    >>>        > That seems to be the opposite of what should happen. Any ideas?
    >>>
    >>>        Yep, something's not right there.
    >>>
    >>>        Are you sure that the user that can see the image doesn't have the admin
    >>>        role (for the project in its keystone token) ?
    >>>
    >>>        Did you verify that the image's owner is what you intended, and that the
    >>>        visibility really is "private" ?
    >>>
    >>>             ~iain
    >>>
    >>>        _______________________________________________
    >>>        OpenStack-operators mailing list
    >>>        [hidden email]
    >>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>>
    >>>
    >>>    _______________________________________________
    >>>    OpenStack-operators mailing list
    >>>    [hidden email]
    >>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >
    > _______________________________________________
    > OpenStack-operators mailing list
    > [hidden email]
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   
   
   
   


------------------------------

Message: 13
Date: Fri, 19 Oct 2018 16:54:12 +0000
From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
        <[hidden email]>
To: Chris Apsey <[hidden email]>, iain MacDonnell
        <[hidden email]>,
        "[hidden email]"
        <[hidden email]>
Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
        Non admin users can see private images from other tenants
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="utf-8"


For reference, here is our full glance policy.json


{
    "context_is_admin":  "role:admin",
    "default": "role:admin",

    "add_image": "",
    "delete_image": "",
    "get_image": "",
    "get_images": "",
    "modify_image": "",
    "publicize_image": "role:admin",
    "communitize_image": "",
    "copy_from": "",

    "download_image": "",
    "upload_image": "",

    "delete_image_location": "",
    "get_image_location": "",
    "set_image_location": "",

    "add_member": "",
    "delete_member": "",
    "get_member": "",
    "get_members": "",
    "modify_member": "",

    "manage_image_cache": "role:admin",

    "get_task": "",
    "get_tasks": "",
    "add_task": "",
    "modify_task": "",
    "tasks_api_access": "role:admin",

    "deactivate": "",
    "reactivate": "",

    "get_metadef_namespace": "",
    "get_metadef_namespaces":"",
    "modify_metadef_namespace":"",
    "add_metadef_namespace":"",

    "get_metadef_object":"",
    "get_metadef_objects":"",
    "modify_metadef_object":"",
    "add_metadef_object":"",

    "list_metadef_resource_types":"",
    "get_metadef_resource_type":"",
    "add_metadef_resource_type_association":"",

    "get_metadef_property":"",
    "get_metadef_properties":"",
    "modify_metadef_property":"",
    "add_metadef_property":"",

    "get_metadef_tag":"",
    "get_metadef_tags":"",
    "modify_metadef_tag":"",
    "add_metadef_tag":"",
    "add_metadef_tags":""

}


Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:

    Our NDC domain is LDAP backed. Default is not.
   
    Our keystone policy.json file is empty {}
   
   
   
    Mike Moore, M.S.S.E.
    
    Systems Engineer, Goddard Private Cloud
    [hidden email]
    
    Hydrogen fusion brightens my day.
    
   
    On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
   
        We are using multiple keystone domains - still can't reproduce this.
       
        Do you happen to have a customized keystone policy.json?
       
        Worst case, I would launch a devstack of your targeted release.  If you
        can't reproduce the issue there, you would at least know its caused by a
        nonstandard config rather than a bug (or at least not a bug that's present
        when using a default config)
       
        On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
        wrote:
       
        > That all looks fine.
        >
        > I believe that the "default" policy applies in place of any that's not
        > explicitly specified - i.e. "if there's no matching policy below, you
        > need to have the admin role to be able to do it". I do have that line in
        > my policy.json, and I cannot reproduce your problem (see below).
        >
        > I'm not using domains (other than "default"). I wonder if that's a factor...
        >
        >     ~iain
        >
        >
        > $ openstack user create --password foo user1
        > +---------------------+----------------------------------+
        > | Field               | Value                            |
        > +---------------------+----------------------------------+
        > | domain_id           | default                          |
        > | enabled             | True                             |
        > | id                  | d18c0031ec56430499a2d690cb1f125c |
        > | name                | user1                            |
        > | options             | {}                               |
        > | password_expires_at | None                             |
        > +---------------------+----------------------------------+
        > $ openstack user create --password foo user2
        > +---------------------+----------------------------------+
        > | Field               | Value                            |
        > +---------------------+----------------------------------+
        > | domain_id           | default                          |
        > | enabled             | True                             |
        > | id                  | be9f1061a5104abd834eabe98dff055d |
        > | name                | user2                            |
        > | options             | {}                               |
        > | password_expires_at | None                             |
        > +---------------------+----------------------------------+
        > $ openstack project create project1
        > +-------------+----------------------------------+
        > | Field       | Value                            |
        > +-------------+----------------------------------+
        > | description |                                  |
        > | domain_id   | default                          |
        > | enabled     | True                             |
        > | id          | 826876d6d3724018bae6253c7f540cb3 |
        > | is_domain   | False                            |
        > | name        | project1                         |
        > | parent_id   | default                          |
        > | tags        | []                               |
        > +-------------+----------------------------------+
        > $ openstack project create project2
        > +-------------+----------------------------------+
        > | Field       | Value                            |
        > +-------------+----------------------------------+
        > | description |                                  |
        > | domain_id   | default                          |
        > | enabled     | True                             |
        > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
        > | is_domain   | False                            |
        > | name        | project2                         |
        > | parent_id   | default                          |
        > | tags        | []                               |
        > +-------------+----------------------------------+
        > $ openstack role add --user user1 --project project1 _member_
        > $ openstack role add --user user2 --project project2 _member_
        > $ export OS_PASSWORD=foo
        > $ export OS_USERNAME=user1
        > $ export OS_PROJECT_NAME=project1
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > +--------------------------------------+--------+--------+
        > $ openstack image create --private image1
        > +------------------+------------------------------------------------------------------------------+
        > | Field            | Value
        >                          |
        > +------------------+------------------------------------------------------------------------------+
        > | checksum         | None
        >                          |
        > | container_format | bare
        >                          |
        > | created_at       | 2018-10-18T22:17:41Z
        >                          |
        > | disk_format      | raw
        >                          |
        > | file             |
        > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
        >     |
        > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
        >                          |
        > | min_disk         | 0
        >                          |
        > | min_ram          | 0
        >                          |
        > | name             | image1
        >                          |
        > | owner            | 826876d6d3724018bae6253c7f540cb3
        >                          |
        > | properties       | locations='[]', os_hash_algo='None',
        > os_hash_value='None', os_hidden='False' |
        > | protected        | False
        >                          |
        > | schema           | /v2/schemas/image
        >                          |
        > | size             | None
        >                          |
        > | status           | queued
        >                          |
        > | tags             |
        >                          |
        > | updated_at       | 2018-10-18T22:17:41Z
        >                          |
        > | virtual_size     | None
        >                          |
        > | visibility       | private
        >                          |
        > +------------------+------------------------------------------------------------------------------+
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
        > +--------------------------------------+--------+--------+
        > $ export OS_USERNAME=user2
        > $ export OS_PROJECT_NAME=project2
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > +--------------------------------------+--------+--------+
        > $ export OS_USERNAME=admin
        > $ export OS_PROJECT_NAME=admin
        > $ export OS_PASSWORD=xxx
        > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
        > $ export OS_USERNAME=user2
        > $ export OS_PROJECT_NAME=project2
        > $ export OS_PASSWORD=foo
        > $ openstack image list
        > +--------------------------------------+--------+--------+
        > | ID                                   | Name   | Status |
        > +--------------------------------------+--------+--------+
        > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
        > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
        > +--------------------------------------+--------+--------+
        > $
        >
        >
        > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        > INTEGRA, INC.] wrote:
        >> openstack user create --domain default --password xxxxxxxx --project-domain
        >> ndc --project test mike
        >>
        >>
        >> openstack role add --user mike --user-domain default --project test user
        >>
        >> my admin account is in the NDC domain with a different username.
        >>
        >>
        >>
        >> /etc/glance/policy.json
        >> {
        >>
        >> "context_is_admin":  "role:admin",
        >> "default": "role:admin",
        >>
        >> <snip>
        >>
        >>
        >> I'm not terribly familiar with the policies but I feel like that default
        >> line is making everyone an admin by default?
        >>
        >>
        >> Mike Moore, M.S.S.E.
        >>
        >> Systems Engineer, Goddard Private Cloud
        >> [hidden email]
        >>
        >> Hydrogen fusion brightens my day.
        >>
        >>
        >> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
        >>
        >>
        >> I suspect that your non-admin user is not really non-admin. How did you
        >> create it?
        >>
        >> What you have for "context_is_admin" in glance's policy.json ?
        >>
        >>  ~iain
        >>
        >>
        >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        >> INTEGRA, INC.] wrote:
        >>> I have replicated this unexpected behavior in a Pike test environment, in
        >>> addition to our Queens environment.
        >>>
        >>>
        >>>
        >>> Mike Moore, M.S.S.E.
        >>>
        >>> Systems Engineer, Goddard Private Cloud
        >>> [hidden email]
        >>>
        >>> Hydrogen fusion brightens my day.
        >>>
        >>>
        >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
        >>> INC.]" <[hidden email]> wrote:
        >>>
        >>>    Yes. I verified it by creating a non-admin user in a different tenant. I
        >>>    created a new image, set to private with the project defined as our admin
        >>>    tenant.
        >>>
        >>>    In the database I can see that the image is 'private' and the owner is the
        >>>    ID of the admin tenant.
        >>>
        >>>    Mike Moore, M.S.S.E.
        >>>
        >>>    Systems Engineer, Goddard Private Cloud
        >>>    [hidden email]
        >>>
        >>>    Hydrogen fusion brightens my day.
        >>>
        >>>
        >>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
        >>>
        >>>
        >>>
        >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
        >>>        INTEGRA, INC.] wrote:
        >>>        > I’m seeing unexpected behavior in our Queens environment related to
        >>>        > Glance image visibility. Specifically users who, based on my
        >>>        > understanding of the visibility and ownership fields, should NOT be able
        >>>        > to see or view the image.
        >>>        >
        >>>        > If I create a new image with openstack image create and specify –project
        >>>        > <tenant> and –private a non-admin user in a different tenant can see and
        >>>        > boot that image.
        >>>        >
        >>>        > That seems to be the opposite of what should happen. Any ideas?
        >>>
        >>>        Yep, something's not right there.
        >>>
        >>>        Are you sure that the user that can see the image doesn't have the admin
        >>>        role (for the project in its keystone token) ?
        >>>
        >>>        Did you verify that the image's owner is what you intended, and that the
        >>>        visibility really is "private" ?
        >>>
        >>>             ~iain
        >>>
        >>>        _______________________________________________
        >>>        OpenStack-operators mailing list
        >>>        [hidden email]
        >>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
        >>>
        >>>
        >>>    _______________________________________________
        >>>    OpenStack-operators mailing list
        >>>    [hidden email]
        >>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
        >
        > _______________________________________________
        > OpenStack-operators mailing list
        > [hidden email]
        > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
       
       
       
       
   
    _______________________________________________
    OpenStack-operators mailing list
    [hidden email]
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   


------------------------------

Message: 14
Date: Fri, 19 Oct 2018 13:45:03 -0400
From: Jay Pipes <[hidden email]>
To: [hidden email]
Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
        1.1 released
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8; format=flowed

Please do not use these mailing lists to advertise
closed-source/proprietary software solutions.

Thank you,
-jay

On 10/19/2018 05:42 AM, Adrian Andreias wrote:
> Hello,
>
> We've just released Fleio version 1.1.
>
> Fleio is a billing solution and control panel for OpenStack public
> clouds and traditional web hosters.
>
> Fleio software automates the entire process for cloud users. New
> customers can use Fleio to sign up for an account, pay invoices, add
> credit to their account, as well as create and manage cloud resources
> such as virtual machines, storage and networking.
>
> Full feature list:
> https://fleio.com#features
>
> You can see an online demo:
> https://fleio.com/demo
>
> And sign-up for a free trial:
> https://fleio.com/signup
>
>
>
> Cheers!
>
> - Adrian Andreias
> https://fleio.com
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>



------------------------------

Message: 15
Date: Fri, 19 Oct 2018 20:13:40 +0200
From: Mohammed Naser <[hidden email]>
To: [hidden email]
Cc: openstack-operators <[hidden email]>
Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
        1.1     released
Message-ID:
        <CAEs876gDHPFjgxnD+[hidden email]>
Content-Type: text/plain; charset="UTF-8"

On Fri, Oct 19, 2018 at 7:45 PM Jay Pipes <[hidden email]> wrote:
>
> Please do not use these mailing lists to advertise
> closed-source/proprietary software solutions.

+1

> Thank you,
> -jay
>
> On 10/19/2018 05:42 AM, Adrian Andreias wrote:
> > Hello,
> >
> > We've just released Fleio version 1.1.
> >
> > Fleio is a billing solution and control panel for OpenStack public
> > clouds and traditional web hosters.
> >
> > Fleio software automates the entire process for cloud users. New
> > customers can use Fleio to sign up for an account, pay invoices, add
> > credit to their account, as well as create and manage cloud resources
> > such as virtual machines, storage and networking.
> >
> > Full feature list:
> > https://fleio.com#features
> >
> > You can see an online demo:
> > https://fleio.com/demo
> >
> > And sign-up for a free trial:
> > https://fleio.com/signup
> >
> >
> >
> > Cheers!
> >
> > - Adrian Andreias
> > https://fleio.com
> >
> >
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > [hidden email]
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



--
Mohammed Naser — vexxhost
-----------------------------------------------------
D. 514-316-8872
D. 800-910-1726 ext. 200
E. [hidden email]
W. http://vexxhost.com



------------------------------

Message: 16
Date: Fri, 19 Oct 2018 14:39:29 -0400
From: Erik McCormick <[hidden email]>
To: openstack-operators <[hidden email]>
Subject: [Openstack-operators] [Octavia] SSL errors polling amphorae
        and     missing tenant network interface
Message-ID:
        <CAHUi5cNByYFRr4vHY9iAEhAFc=[hidden email]>
Content-Type: text/plain; charset="UTF-8"

I've been wrestling with getting Octavia up and running and have
become stuck on two issues. I'm hoping someone has run into these
before. My google foo has come up empty.

Issue 1:
When the Octavia controller tries to poll the amphora instance, it
tries repeatedly and eventually fails. The error on the controller
side is:

2018-10-19 14:17:39.181 26 ERROR
octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
retries (currently set to 300) exhausted.  The amphora is unavailable.
Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
SSLError(SSLError("bad handshake: Error([('rsa routines',
'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
'tls_process_server_certificate', 'certificate verify
failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
(Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
'tls_process_server_certificate', 'certificate verify
failed')],)",),))

On the amphora side I see:
[2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
[2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
failure (_ssl.c:1754)

I've generated certificates both with the script in the Octavia git
repo, and with the Openstack Ansible playbook. I can see that they are
present in /etc/octavia/certs.

I'm using the Kolla (Queens) containers for the control plane so I'm
sure I've satisfied all the python library constraints.

Issue 2:
I"m not sure how it gets configured, but the tenant network interface
(ens6) never comes up. I can spawn other instances on that network
with no issue, and I can see that Neutron has the port attached to the
instance. However, in the instance this is all I get:

ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
state UP group default qlen 1000
    link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
    inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe30:c460/64 scope link
       valid_lft forever preferred_lft forever
3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
    link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff

There's no evidence of the interface anywhere else including udev rules.

Any help with either or both issues would be greatly appreciated.

Cheers,
Erik



------------------------------

Message: 17
Date: Sat, 20 Oct 2018 01:47:42 +0200
From: Gaël THEROND <[hidden email]>
To: Erik McCormick <[hidden email]>
Cc: openstack-operators <[hidden email]>
Subject: Re: [Openstack-operators] [Octavia] SSL errors polling
        amphorae and missing tenant network interface
Message-ID:
        <CAG+53ua-Hcjjq=[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hi eric!

Glad I’m not the only one having this issue with the ssl communication
between the amphora and the CP.

Even if I don’t yet get a clear answer regarding that issue, I think your
second issue is not an issue as the interface is mounted on a namespace and
so you’ll need to list all nic even those from namespace.

Use an ip netns ls to get the namespace.

Hope it will help.

Le ven. 19 oct. 2018 à 20:40, Erik McCormick <[hidden email]> a
écrit :

> I've been wrestling with getting Octavia up and running and have
> become stuck on two issues. I'm hoping someone has run into these
> before. My google foo has come up empty.
>
> Issue 1:
> When the Octavia controller tries to poll the amphora instance, it
> tries repeatedly and eventually fails. The error on the controller
> side is:
>
> 2018-10-19 14:17:39.181 26 ERROR
> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
> retries (currently set to 300) exhausted.  The amphora is unavailable.
> Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
> exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
> SSLError(SSLError("bad handshake: Error([('rsa routines',
> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> 'tls_process_server_certificate', 'certificate verify
> failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
> port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
> (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> 'tls_process_server_certificate', 'certificate verify
> failed')],)",),))
>
> On the amphora side I see:
> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
> ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
> failure (_ssl.c:1754)
>
> I've generated certificates both with the script in the Octavia git
> repo, and with the Openstack Ansible playbook. I can see that they are
> present in /etc/octavia/certs.
>
> I'm using the Kolla (Queens) containers for the control plane so I'm
> sure I've satisfied all the python library constraints.
>
> Issue 2:
> I"m not sure how it gets configured, but the tenant network interface
> (ens6) never comes up. I can spawn other instances on that network
> with no issue, and I can see that Neutron has the port attached to the
> instance. However, in the instance this is all I get:
>
> ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
> state UP group default qlen 1000
>     link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
>     inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
>        valid_lft forever preferred_lft forever
>     inet6 fe80::f816:3eff:fe30:c460/64 scope link
>        valid_lft forever preferred_lft forever
> 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>     link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
>
> There's no evidence of the interface anywhere else including udev rules.
>
> Any help with either or both issues would be greatly appreciated.
>
> Cheers,
> Erik
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181020/71c8e27a/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


------------------------------

End of OpenStack-operators Digest, Vol 96, Issue 7
**************************************************


_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

iain MacDonnell-2

It (still) seems like there's something funky about admin/non-admin in
your case.

You could try "openstack --debug token issue" (in the admin and
non-admin cases), and examine the token dict that gets output. Look for
the "roles" list and "is_admin_project".

     ~iain



On 10/23/2018 03:21 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:

> We have submitted a bug for this
>
> https://bugs.launchpad.net/glance/+bug/1799588 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_glance_-2Bbug_1799588&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=Mn2Mcb1CalyYcrdw2IZaS_mFLxT867ZjLCtchHttbP0&e=>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
>
> [hidden email] <mailto:[hidden email]>
>
> **
>
> Hydrogen fusion brightens my day.
>
> *From: *"Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <[hidden email]>
> *Date: *Saturday, October 20, 2018 at 7:22 PM
> *To: *Logan Hicks <[hidden email]>,
> "[hidden email]"
> <[hidden email]>
> *Subject: *Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> Issue 7
>
> The images exist and are bootable. I'm going to trace through the actual
> code for glance API. Any suggestions on where the show/hide logic is
> when it filters responses? I'm new to digging through OpenStack code.
>
> ------------------------------------------------------------------------
>
> *From:*Logan Hicks [[hidden email]]
> *Sent:* Friday, October 19, 2018 8:00 PM
> *To:* [hidden email]
> *Subject:* Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> Issue 7
>
> Re: Glance Image Visibility Issue? - Non  admin users can see
>        private images from other tenants (Chris Apsey)
>
> I noticed that the image says queued. If Im not mistaken, an image cant
> have permissions applied until after the image is created, which might
> explain the issue hes seeing.
>
> The object doesnt exist until its made by openstack.
>
> Id check to see if something is holding up images being made. Id start
> with glance.
>
> Respectfully,
>
> Logan Hicks
>
> -------- Original message --------
>
> From: [hidden email]
>
> Date: 10/19/18 7:49 PM (GMT-05:00)
>
> To: [hidden email]
>
> Subject: OpenStack-operators Digest, Vol 96, Issue 7
>
> Send OpenStack-operators mailing list submissions to
>          [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
> or, via email, send a message with subject or body 'help' to
>          [hidden email]
>
> You can reach the person managing the list at
>          [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OpenStack-operators digest..."
>
>
> Today's Topics:
>
>     1. [nova] Removing the CachingScheduler (Matt Riedemann)
>     2. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>     3. Re: Glance Image Visibility Issue? - Non  admin users can see
>        private images from other tenants (Chris Apsey)
>     4. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants (iain MacDonnell)
>     5. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>     6. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants (iain MacDonnell)
>     7. Re: Glance Image Visibility Issue? - Non  admin users can see
>        private images from other tenants (Chris Apsey)
>     8. osops-tools-monitoring Dependency problems (Tomáš Vondra)
>     9. [heat][cinder] How to create stack snapshot       including volumes
>        (Christian Zunker)
>    10. Fleio - OpenStack billing - ver. 1.1 released (Adrian Andreias)
>    11. Re: [Openstack-sigs] [all] Naming the T   release of OpenStack
>        (Tony Breeds)
>    12. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>    13. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>    14. Re: Fleio - OpenStack billing - ver. 1.1 released (Jay Pipes)
>    15. Re: Fleio - OpenStack billing - ver. 1.1  released (Mohammed Naser)
>    16. [Octavia] SSL errors polling amphorae and missing tenant
>        network interface (Erik McCormick)
>    17. Re: [Octavia] SSL errors polling amphorae and missing tenant
>        network interface (Gaël THEROND)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 18 Oct 2018 17:07:00 -0500
> From: Matt Riedemann <[hidden email]>
> To: "[hidden email]"
>          <[hidden email]>
> Subject: [Openstack-operators] [nova] Removing the CachingScheduler
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> It's been deprecated since Pike, and the time has come to remove it [1].
>
> mgagne has been the most vocal CachingScheduler operator I know and he
> has tested out the "nova-manage placement heal_allocations" CLI, added
> in Rocky, and said it will work for migrating his deployment from the
> CachingScheduler to the FilterScheduler + Placement.
>
> If you are using the CachingScheduler and have a problem with its
> removal, now is the time to speak up or forever hold your peace.
>
> [1] https://review.openstack.org/#/c/611723/1 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611723_1&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=CcuJbm96l8_bk_DdPB0xbW_A31hIN4eTR0nqDeQk4kM&e=>
>
> --
>
> Thanks,
>
> Matt
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 18 Oct 2018 22:11:40 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: iain MacDonnell <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> I have replicated this unexpected behavior in a Pike test environment,
> in addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>
>      Yes. I verified it by creating a non-admin user in a different
> tenant. I created a new image, set to private with the project defined
> as our admin tenant.
>
>      In the database I can see that the image is 'private' and the owner
> is the ID of the admin tenant.
>
>      Mike Moore, M.S.S.E.
>
>      Systems Engineer, Goddard Private Cloud
>      [hidden email]
>
>      Hydrogen fusion brightens my day.
>
>
>      On 10/18/18, 1:07 AM, "iain MacDonnell"
> <[hidden email]> wrote:
>
>
>
>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>          INTEGRA, INC.] wrote:
>          > I’m seeing unexpected behavior in our Queens environment
> related to
>          > Glance image visibility. Specifically users who, based on my
>          > understanding of the visibility and ownership fields, should
> NOT be able
>          > to see or view the image.
>          >
>          > If I create a new image with openstack image create and
> specify –project
>          > <tenant> and –private a non-admin user in a different tenant
> can see and
>          > boot that image.
>          >
>          > That seems to be the opposite of what should happen. Any ideas?
>
>          Yep, something's not right there.
>
>          Are you sure that the user that can see the image doesn't have
> the admin
>          role (for the project in its keystone token) ?
>
>          Did you verify that the image's owner is what you intended, and
> that the
>          visibility really is "private" ?
>
>               ~iain
>
>          _______________________________________________
>          OpenStack-operators mailing list
>          [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>      _______________________________________________
>      OpenStack-operators mailing list
>      [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 18 Oct 2018 18:23:35 -0400
> From: Chris Apsey <[hidden email]>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>, iain MacDonnell
>          <[hidden email]>,
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non     admin users can see private images from other tenants
> Message-ID:
>          <[hidden email]>
> Content-Type: text/plain; format=flowed; charset="UTF-8"
>
> Do you have a liberal/custom policy.json that perhaps is causing unexpected
> behavior?  Can't seem to reproduce this.
>
> On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>
>> I have replicated this unexpected behavior in a Pike test environment, in
>> addition to our Queens environment.
>>
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>> INC.]" <[hidden email]> wrote:
>>
>>    Yes. I verified it by creating a non-admin user in a different tenant. I
>>    created a new image, set to private with the project defined as our admin
>>    tenant.
>>
>>    In the database I can see that the image is 'private' and the owner is the
>>    ID of the admin tenant.
>>
>>    Mike Moore, M.S.S.E.
>>
>>    Systems Engineer, Goddard Private Cloud
>>    [hidden email]
>>
>>    Hydrogen fusion brightens my day.
>>
>>
>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>
>>
>>
>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>        INTEGRA, INC.] wrote:
>>> I’m seeing unexpected behavior in our Queens environment related to
>>> Glance image visibility. Specifically users who, based on my
>>> understanding of the visibility and ownership fields, should NOT be able
>>> to see or view the image.
>>>
>>> If I create a new image with openstack image create and specify –project
>>> <tenant> and –private a non-admin user in a different tenant can see and
>>> boot that image.
>>>
>>> That seems to be the opposite of what should happen. Any ideas?
>>
>>        Yep, something's not right there.
>>
>>        Are you sure that the user that can see the image doesn't have the admin
>>        role (for the project in its keystone token) ?
>>
>>        Did you verify that the image's owner is what you intended, and that the
>>        visibility really is "private" ?
>>
>>             ~iain
>>
>>        _______________________________________________
>>        OpenStack-operators mailing list
>>        [hidden email]
>>        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>>
>>    _______________________________________________
>>    OpenStack-operators mailing list
>>    [hidden email]
>>    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 18 Oct 2018 15:25:22 -0700
> From: iain MacDonnell <[hidden email]>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>,
> "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> I suspect that your non-admin user is not really non-admin. How did you
> create it?
>
> What you have for "context_is_admin" in glance's policy.json ?
>
>       ~iain
>
>
> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>>
>>
>>
>> Mike Moore, M.S.S.E.
>>  
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>  
>> Hydrogen fusion brightens my day.
>>  
>>
>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>>
>>      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>>      
>>      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>>      
>>      Mike Moore, M.S.S.E.
>>      
>>      Systems Engineer, Goddard Private Cloud
>>      [hidden email]
>>      
>>      Hydrogen fusion brightens my day.
>>      
>>      
>>      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>      
>>          
>>          
>>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>          INTEGRA, INC.] wrote:
>>          > I’m seeing unexpected behavior in our Queens environment related to
>>          > Glance image visibility. Specifically users who, based on my
>>          > understanding of the visibility and ownership fields, should NOT be able
>>          > to see or view the image.
>>          >
>>          > If I create a new image with openstack image create and specify –project
>>          > <tenant> and –private a non-admin user in a different tenant can see and
>>          > boot that image.
>>          >
>>          > That seems to be the opposite of what should happen. Any ideas?
>>          
>>          Yep, something's not right there.
>>          
>>          Are you sure that the user that can see the image doesn't have the admin
>>          role (for the project in its keystone token) ?
>>          
>>          Did you verify that the image's owner is what you intended, and that the
>>          visibility really is "private" ?
>>          
>>               ~iain
>>          
>>          _______________________________________________
>>          OpenStack-operators mailing list
>>          [hidden email]
>>          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>          
>>      
>>      _______________________________________________
>>      OpenStack-operators mailing list
>>      [hidden email]
>>      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>      
>>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 18 Oct 2018 22:32:42 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: iain MacDonnell <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> openstack user create --domain default --password xxxxxxxx
> --project-domain ndc --project test mike
>
>
> openstack role add --user mike --user-domain default --project test user
>
> my admin account is in the NDC domain with a different username.
>
>
>
> /etc/glance/policy.json
> {
>
> "context_is_admin":  "role:admin",
> "default": "role:admin",
>
> <snip>
>
>
> I'm not terribly familiar with the policies but I feel like that default
> line is making everyone an admin by default?
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>
>
>      I suspect that your non-admin user is not really non-admin. How did
> you
>      create it?
>
>      What you have for "context_is_admin" in glance's policy.json ?
>
>           ~iain
>
>
>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      INTEGRA, INC.] wrote:
>      > I have replicated this unexpected behavior in a Pike test
> environment, in addition to our Queens environment.
>      >
>      >
>      >
>      > Mike Moore, M.S.S.E.
>      >
>      > Systems Engineer, Goddard Private Cloud
>      > [hidden email]
>      >
>      > Hydrogen fusion brightens my day.
>      >
>      >
>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>      >
>      >      Yes. I verified it by creating a non-admin user in a
> different tenant. I created a new image, set to private with the project
> defined as our admin tenant.
>      >
>      >      In the database I can see that the image is 'private' and
> the owner is the ID of the admin tenant.
>      >
>      >      Mike Moore, M.S.S.E.
>      >
>      >      Systems Engineer, Goddard Private Cloud
>      >      [hidden email]
>      >
>      >      Hydrogen fusion brightens my day.
>      >
>      >
>      >      On 10/18/18, 1:07 AM, "iain MacDonnell"
> <[hidden email]> wrote:
>      >
>      >
>      >
>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
>      >          INTEGRA, INC.] wrote:
>      >          > I’m seeing unexpected behavior in our Queens
> environment related to
>      >          > Glance image visibility. Specifically users who, based
> on my
>      >          > understanding of the visibility and ownership fields,
> should NOT be able
>      >          > to see or view the image.
>      >          >
>      >          > If I create a new image with openstack image create
> and specify –project
>      >          > <tenant> and –private a non-admin user in a different
> tenant can see and
>      >          > boot that image.
>      >          >
>      >          > That seems to be the opposite of what should happen.
> Any ideas?
>      >
>      >          Yep, something's not right there.
>      >
>      >          Are you sure that the user that can see the image
> doesn't have the admin
>      >          role (for the project in its keystone token) ?
>      >
>      >          Did you verify that the image's owner is what you
> intended, and that the
>      >          visibility really is "private" ?
>      >
>      >               ~iain
>      >
>      >          _______________________________________________
>      >          OpenStack-operators mailing list
>      >          [hidden email]
>      >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>      >      _______________________________________________
>      >      OpenStack-operators mailing list
>      >      [hidden email]
>      >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 18 Oct 2018 15:48:27 -0700
> From: iain MacDonnell <[hidden email]>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>,
> "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a factor...
>
>       ~iain
>
>
> $ openstack user create --password foo user1
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | d18c0031ec56430499a2d690cb1f125c |
> | name                | user1                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack user create --password foo user2
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | be9f1061a5104abd834eabe98dff055d |
> | name                | user2                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack project create project1
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | 826876d6d3724018bae6253c7f540cb3 |
> | is_domain   | False                            |
> | name        | project1                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack project create project2
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> | is_domain   | False                            |
> | name        | project2                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack role add --user user1 --project project1 _member_
> $ openstack role add --user user2 --project project2 _member_
> $ export OS_PASSWORD=foo
> $ export OS_USERNAME=user1
> $ export OS_PROJECT_NAME=project1
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ openstack image create --private image1
> +------------------+------------------------------------------------------------------------------+
> | Field            | Value
>                            |
> +------------------+------------------------------------------------------------------------------+
> | checksum         | None
>                            |
> | container_format | bare
>                            |
> | created_at       | 2018-10-18T22:17:41Z
>                            |
> | disk_format      | raw
>                            |
> | file             |
> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>       |
> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>                            |
> | min_disk         | 0
>                            |
> | min_ram          | 0
>                            |
> | name             | image1
>                            |
> | owner            | 826876d6d3724018bae6253c7f540cb3
>                            |
> | properties       | locations='[]', os_hash_algo='None',
> os_hash_value='None', os_hidden='False' |
> | protected        | False
>                            |
> | schema           | /v2/schemas/image
>                            |
> | size             | None
>                            |
> | status           | queued
>                            |
> | tags             |
>                            |
> | updated_at       | 2018-10-18T22:17:41Z
>                            |
> | virtual_size     | None
>                            |
> | visibility       | private
>                            |
> +------------------+------------------------------------------------------------------------------+
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=admin
> $ export OS_PROJECT_NAME=admin
> $ export OS_PASSWORD=xxx
> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ export OS_PASSWORD=foo
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $
>
>
> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
>>
>>
>> openstack role add --user mike --user-domain default --project test user
>>
>> my admin account is in the NDC domain with a different username.
>>
>>
>>
>> /etc/glance/policy.json
>> {
>>
>> "context_is_admin":  "role:admin",
>> "default": "role:admin",
>>
>> <snip>
>>
>>
>> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?
>>
>>
>> Mike Moore, M.S.S.E.
>>  
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>  
>> Hydrogen fusion brightens my day.
>>  
>>
>> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>>
>>      
>>      I suspect that your non-admin user is not really non-admin. How did you
>>      create it?
>>      
>>      What you have for "context_is_admin" in glance's policy.json ?
>>      
>>           ~iain
>>      
>>      
>>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>      INTEGRA, INC.] wrote:
>>      > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>>      >
>>      >
>>      >
>>      > Mike Moore, M.S.S.E.
>>      >
>>      > Systems Engineer, Goddard Private Cloud
>>      > [hidden email]
>>      >
>>      > Hydrogen fusion brightens my day.
>>      >
>>      >
>>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>>      >
>>      >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>>      >
>>      >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>>      >
>>      >      Mike Moore, M.S.S.E.
>>      >
>>      >      Systems Engineer, Goddard Private Cloud
>>      >      [hidden email]
>>      >
>>      >      Hydrogen fusion brightens my day.
>>      >
>>      >
>>      >      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>      >
>>      >
>>      >
>>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>      >          INTEGRA, INC.] wrote:
>>      >          > I’m seeing unexpected behavior in our Queens environment related to
>>      >          > Glance image visibility. Specifically users who, based on my
>>      >          > understanding of the visibility and ownership fields, should NOT be able
>>      >          > to see or view the image.
>>      >          >
>>      >          > If I create a new image with openstack image create and specify –project
>>      >          > <tenant> and –private a non-admin user in a different tenant can see and
>>      >          > boot that image.
>>      >          >
>>      >          > That seems to be the opposite of what should happen. Any ideas?
>>      >
>>      >          Yep, something's not right there.
>>      >
>>      >          Are you sure that the user that can see the image doesn't have the admin
>>      >          role (for the project in its keystone token) ?
>>      >
>>      >          Did you verify that the image's owner is what you intended, and that the
>>      >          visibility really is "private" ?
>>      >
>>      >               ~iain
>>      >
>>      >          _______________________________________________
>>      >          OpenStack-operators mailing list
>>      >          [hidden email]
>>      >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>      >
>>      >
>>      >      _______________________________________________
>>      >      OpenStack-operators mailing list
>>      >      [hidden email]
>>      >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>      >
>>      >
>>      
>>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 18 Oct 2018 19:23:42 -0400
> From: Chris Apsey <[hidden email]>
> To: iain MacDonnell <[hidden email]>, "Moore, Michael Dane
>          (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]>,
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non     admin users can see private images from other tenants
> Message-ID:
>          <[hidden email]>
> Content-Type: text/plain; format=flowed; charset="UTF-8"
>
> We are using multiple keystone domains - still can't reproduce this.
>
> Do you happen to have a customized keystone policy.json?
>
> Worst case, I would launch a devstack of your targeted release.  If you
> can't reproduce the issue there, you would at least know its caused by a
> nonstandard config rather than a bug (or at least not a bug that's present
> when using a default config)
>
> On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
> wrote:
>
>> That all looks fine.
>>
>> I believe that the "default" policy applies in place of any that's not
>> explicitly specified - i.e. "if there's no matching policy below, you
>> need to have the admin role to be able to do it". I do have that line in
>> my policy.json, and I cannot reproduce your problem (see below).
>>
>> I'm not using domains (other than "default"). I wonder if that's a factor...
>>
>>     ~iain
>>
>>
>> $ openstack user create --password foo user1
>> +---------------------+----------------------------------+
>> | Field               | Value                            |
>> +---------------------+----------------------------------+
>> | domain_id           | default                          |
>> | enabled             | True                             |
>> | id                  | d18c0031ec56430499a2d690cb1f125c |
>> | name                | user1                            |
>> | options             | {}                               |
>> | password_expires_at | None                             |
>> +---------------------+----------------------------------+
>> $ openstack user create --password foo user2
>> +---------------------+----------------------------------+
>> | Field               | Value                            |
>> +---------------------+----------------------------------+
>> | domain_id           | default                          |
>> | enabled             | True                             |
>> | id                  | be9f1061a5104abd834eabe98dff055d |
>> | name                | user2                            |
>> | options             | {}                               |
>> | password_expires_at | None                             |
>> +---------------------+----------------------------------+
>> $ openstack project create project1
>> +-------------+----------------------------------+
>> | Field       | Value                            |
>> +-------------+----------------------------------+
>> | description |                                  |
>> | domain_id   | default                          |
>> | enabled     | True                             |
>> | id          | 826876d6d3724018bae6253c7f540cb3 |
>> | is_domain   | False                            |
>> | name        | project1                         |
>> | parent_id   | default                          |
>> | tags        | []                               |
>> +-------------+----------------------------------+
>> $ openstack project create project2
>> +-------------+----------------------------------+
>> | Field       | Value                            |
>> +-------------+----------------------------------+
>> | description |                                  |
>> | domain_id   | default                          |
>> | enabled     | True                             |
>> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
>> | is_domain   | False                            |
>> | name        | project2                         |
>> | parent_id   | default                          |
>> | tags        | []                               |
>> +-------------+----------------------------------+
>> $ openstack role add --user user1 --project project1 _member_
>> $ openstack role add --user user2 --project project2 _member_
>> $ export OS_PASSWORD=foo
>> $ export OS_USERNAME=user1
>> $ export OS_PROJECT_NAME=project1
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> +--------------------------------------+--------+--------+
>> $ openstack image create --private image1
>> +------------------+------------------------------------------------------------------------------+
>> | Field            | Value
>>                          |
>> +------------------+------------------------------------------------------------------------------+
>> | checksum         | None
>>                          |
>> | container_format | bare
>>                          |
>> | created_at       | 2018-10-18T22:17:41Z
>>                          |
>> | disk_format      | raw
>>                          |
>> | file             |
>> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>>     |
>> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>>                          |
>> | min_disk         | 0
>>                          |
>> | min_ram          | 0
>>                          |
>> | name             | image1
>>                          |
>> | owner            | 826876d6d3724018bae6253c7f540cb3
>>                          |
>> | properties       | locations='[]', os_hash_algo='None',
>> os_hash_value='None', os_hidden='False' |
>> | protected        | False
>>                          |
>> | schema           | /v2/schemas/image
>>                          |
>> | size             | None
>>                          |
>> | status           | queued
>>                          |
>> | tags             |
>>                          |
>> | updated_at       | 2018-10-18T22:17:41Z
>>                          |
>> | virtual_size     | None
>>                          |
>> | visibility       | private
>>                          |
>> +------------------+------------------------------------------------------------------------------+
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>> +--------------------------------------+--------+--------+
>> $ export OS_USERNAME=user2
>> $ export OS_PROJECT_NAME=project2
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> +--------------------------------------+--------+--------+
>> $ export OS_USERNAME=admin
>> $ export OS_PROJECT_NAME=admin
>> $ export OS_PASSWORD=xxx
>> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>> $ export OS_USERNAME=user2
>> $ export OS_PROJECT_NAME=project2
>> $ export OS_PASSWORD=foo
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>> +--------------------------------------+--------+--------+
>> $
>>
>>
>> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>>> openstack user create --domain default --password xxxxxxxx --project-domain
>>> ndc --project test mike
>>>
>>>
>>> openstack role add --user mike --user-domain default --project test user
>>>
>>> my admin account is in the NDC domain with a different username.
>>>
>>>
>>>
>>> /etc/glance/policy.json
>>> {
>>>
>>> "context_is_admin":  "role:admin",
>>> "default": "role:admin",
>>>
>>> <snip>
>>>
>>>
>>> I'm not terribly familiar with the policies but I feel like that default
>>> line is making everyone an admin by default?
>>>
>>>
>>> Mike Moore, M.S.S.E.
>>>
>>> Systems Engineer, Goddard Private Cloud
>>> [hidden email]
>>>
>>> Hydrogen fusion brightens my day.
>>>
>>>
>>> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>>>
>>>
>>> I suspect that your non-admin user is not really non-admin. How did you
>>> create it?
>>>
>>> What you have for "context_is_admin" in glance's policy.json ?
>>>
>>>  ~iain
>>>
>>>
>>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>> INTEGRA, INC.] wrote:
>>>> I have replicated this unexpected behavior in a Pike test environment, in
>>>> addition to our Queens environment.
>>>>
>>>>
>>>>
>>>> Mike Moore, M.S.S.E.
>>>>
>>>> Systems Engineer, Goddard Private Cloud
>>>> [hidden email]
>>>>
>>>> Hydrogen fusion brightens my day.
>>>>
>>>>
>>>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>>>> INC.]" <[hidden email]> wrote:
>>>>
>>>>    Yes. I verified it by creating a non-admin user in a different tenant. I
>>>>    created a new image, set to private with the project defined as our admin
>>>>    tenant.
>>>>
>>>>    In the database I can see that the image is 'private' and the owner is the
>>>>    ID of the admin tenant.
>>>>
>>>>    Mike Moore, M.S.S.E.
>>>>
>>>>    Systems Engineer, Goddard Private Cloud
>>>>    [hidden email]
>>>>
>>>>    Hydrogen fusion brightens my day.
>>>>
>>>>
>>>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>>>
>>>>
>>>>
>>>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>>>        INTEGRA, INC.] wrote:
>>>>        > I’m seeing unexpected behavior in our Queens environment related to
>>>>        > Glance image visibility. Specifically users who, based on my
>>>>        > understanding of the visibility and ownership fields, should NOT be able
>>>>        > to see or view the image.
>>>>        >
>>>>        > If I create a new image with openstack image create and specify –project
>>>>        > <tenant> and –private a non-admin user in a different tenant can see and
>>>>        > boot that image.
>>>>        >
>>>>        > That seems to be the opposite of what should happen. Any ideas?
>>>>
>>>>        Yep, something's not right there.
>>>>
>>>>        Are you sure that the user that can see the image doesn't have the admin
>>>>        role (for the project in its keystone token) ?
>>>>
>>>>        Did you verify that the image's owner is what you intended, and that the
>>>>        visibility really is "private" ?
>>>>
>>>>             ~iain
>>>>
>>>>        _______________________________________________
>>>>        OpenStack-operators mailing list
>>>>        [hidden email]
>>>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>>>
>>>>
>>>>    _______________________________________________
>>>>    OpenStack-operators mailing list
>>>>    [hidden email]
>>>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 19 Oct 2018 10:58:30 +0200
> From: Tomáš Vondra <[hidden email]>
> To: <[hidden email]>
> Subject: [Openstack-operators] osops-tools-monitoring Dependency
>          problems
> Message-ID: <049e01d46789$e8bf5220$ba3df660$@homeatcloud.cz>
> Content-Type: text/plain;       charset="iso-8859-2"
>
> Hi!
> I'm a long time user of monitoring-for-openstack, also known as oschecks.
> Concretely, I used a version from 2015 with OpenStack python client
> libraries from Kilo. Now I have upgraded them to Mitaka and it got broken.
> Even the latest oschecks don't work. I didn't quite expect that, given that
> there are several commits from this year e.g. by Nagasai Vinaykumar
> Kapalavai and paramite. Can one of them or some other user step up and say
> what version of OpenStack clients is oschecks working with? Ideally, write
> it down in requirements.txt so that it will be reproducible? Also, some
> documentation of what is the minimal set of parameters would also come in
> handy.
> Thanks a lot, Tomas from Homeatcloud
>
> The error messages are as absurd as:
> oschecks-check_glance_api --os_auth_url='http://10.1.101.30:5000/v2.0 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.1.101.30-3A5000_v2.0&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=_OahSWkou5-POtvp2P_0PQEAtRXnl_2ry82DIo_ygQ4&e=>'
> --os_username=monitoring --os_password=XXX --os_tenant_name=monitoring
>
> CRITICAL: Traceback (most recent call last):
>    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 121, in
> safe_run
>      method()
>    File "/usr/lib/python2.7/dist-packages/oschecks/glance.py", line 29, in
> _check_glance_api
>      glance = utils.Glance()
>    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 177, in
> __init__
>      self.glance.parser = self.glance.get_base_parser(sys.argv)
> TypeError: get_base_parser() takes exactly 1 argument (2 given)
>
> (I can see 4 parameters on the command line.)
>
>
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 19 Oct 2018 11:21:25 +0200
> From: Christian Zunker <[hidden email]>
> To: openstack-operators <[hidden email]>
> Subject: [Openstack-operators] [heat][cinder] How to create stack
>          snapshot        including volumes
> Message-ID:
>          
> <CAHS=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Hi List,
>
> I'd like to take snapshots of heat stacks including the volumes.
>>From what I found until now, this should be possible. You just have to
> configure some parts of OpenStack.
>
> I enabled cinder-backup with ceph backend. Backups from volumes are working.
> I configured heat to include the option backups_enabled = True.
>
> When I use openstack stack snapshot create, I get a snapshot but no backups
> of my volumes. I don't get any error messages in heat. Debug logging didn't
> help either.
>
> OpenStack version is Pike on Ubuntu installed with openstack-ansible.
> heat version is 9.0.3. So this should also include this bugfix:
> https://bugs.launchpad.net/heat/+bug/1687006 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_heat_-2Bbug_1687006&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=GveynPsCtRgNf5xllOIdz2Y5eNCZAvn4B9xEtzLDi1A&e=>
>
> Is anybody using this feature? What am I missing?
>
> Best regards
> Christian
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/bb7dd81b/attachment-0001.html 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_bb7dd81b_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=YCjjLeySrbifzs2-92NmaHNUG4DFb6Ps4CpFzjdo0ts&e=>>
>
> ------------------------------
>
> Message: 10
> Date: Fri, 19 Oct 2018 12:42:00 +0300
> From: Adrian Andreias <[hidden email]>
> To: [hidden email]
> Subject: [Openstack-operators] Fleio - OpenStack billing - ver. 1.1
>          released
> Message-ID:
>          
> <CACp-FE3gEP=nwXRtwy-H13qXrnhPa5bn0uWiukxWp=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> We've just released Fleio version 1.1.
>
> Fleio is a billing solution and control panel for OpenStack public clouds
> and traditional web hosters.
>
> Fleio software automates the entire process for cloud users. New customers
> can use Fleio to sign up for an account, pay invoices, add credit to their
> account, as well as create and manage cloud resources such as virtual
> machines, storage and networking.
>
> Full feature list:
> https://fleio.com#features 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
>
> You can see an online demo:
> https://fleio.com/demo 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
>
> And sign-up for a free trial:
> https://fleio.com/signup 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
>
>
>
> Cheers!
>
> - Adrian Andreias
> https://fleio.com 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/3031e47f/attachment-0001.html 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_3031e47f_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=JCagcM_ZjfKNMy6hUc9mScnVifU3IZVyccED28OEhpA&e=>>
>
> ------------------------------
>
> Message: 11
> Date: Fri, 19 Oct 2018 20:54:29 +1100
> From: Tony Breeds <[hidden email]>
> To: OpenStack Development <[hidden email]>,
>          OpenStack SIGs <[hidden email]>, OpenStack
>          Operators <[hidden email]>
> Subject: Re: [Openstack-operators] [Openstack-sigs] [all] Naming the T
>          release of OpenStack
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> On Thu, Oct 18, 2018 at 05:35:39PM +1100, Tony Breeds wrote:
>> Hello all,
>>     As per [1] the nomination period for names for the T release have
>> now closed (actually 3 days ago sorry).  The nominated names and any
>> qualifying remarks can be seen at2].
>>
>> Proposed Names
>>  * Tarryall
>>  * Teakettle
>>  * Teller
>>  * Telluride
>>  * Thomas
>>  * Thornton
>>  * Tiger
>>  * Tincup
>>  * Timnath
>>  * Timber
>>  * Tiny Town
>>  * Torreys
>>  * Trail
>>  * Trinidad
>>  * Treasure
>>  * Troublesome
>>  * Trussville
>>  * Turret
>>  * Tyrone
>>
>> Proposed Names that do not meet the criteria
>>  * Train
>
> I have re-worked my openstack/governance change[1] to ask the TC to accept
> adding Train to the poll as (partially) described in [2].
>
> I present the names above to the community and Foundation marketing team
> for consideration.  The list above does contain Train, clearly if the TC
> do not approve [1] Train will not be included in the poll when created.
>
> I apologise for any offence or slight caused by my previous email in
> this thread.  It was well intentioned albeit, with hindsight, poorly
> thought through.
>
> Yours Tony.
>
> [1] https://review.openstack.org/#/c/611511/ 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611511_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=cRWATGRCwFhRInCOOTmTaFGPvMXWXznOs1-pnONNMvA&e=>
> [2]
> https://governance.openstack.org/tc/reference/release-naming.html#release-name-criteria 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__governance.openstack.org_tc_reference_release-2Dnaming.html-23release-2Dname-2Dcriteria&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=ORBvxW9YNjEKlSx6vbG0BIAOLa6sDtdIw1oWC8aGyvA&e=>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 488 bytes
> Desc: not available
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/49c95d5d/attachment-0001.sig 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_49c95d5d_attachment-2D0001.sig&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=jMzO0p4dD0TpgnxO_HTziQRuWfGZJz4W1oPgADf0iw0&e=>>
>
> ------------------------------
>
> Message: 12
> Date: Fri, 19 Oct 2018 16:33:17 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: Chris Apsey <[hidden email]>, iain MacDonnell
>          <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Our NDC domain is LDAP backed. Default is not.
>
> Our keystone policy.json file is empty {}
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
>
>      We are using multiple keystone domains - still can't reproduce this.
>
>      Do you happen to have a customized keystone policy.json?
>
>      Worst case, I would launch a devstack of your targeted release.  If
> you
>      can't reproduce the issue there, you would at least know its caused
> by a
>      nonstandard config rather than a bug (or at least not a bug that's
> present
>      when using a default config)
>
>      On October 18, 2018 18:50:12 iain MacDonnell
> <[hidden email]>
>      wrote:
>
>      > That all looks fine.
>      >
>      > I believe that the "default" policy applies in place of any
> that's not
>      > explicitly specified - i.e. "if there's no matching policy below, you
>      > need to have the admin role to be able to do it". I do have that
> line in
>      > my policy.json, and I cannot reproduce your problem (see below).
>      >
>      > I'm not using domains (other than "default"). I wonder if that's
> a factor...
>      >
>      >     ~iain
>      >
>      >
>      > $ openstack user create --password foo user1
>      > +---------------------+----------------------------------+
>      > | Field               | Value                            |
>      > +---------------------+----------------------------------+
>      > | domain_id           | default                          |
>      > | enabled             | True                             |
>      > | id                  | d18c0031ec56430499a2d690cb1f125c |
>      > | name                | user1                            |
>      > | options             | {}                               |
>      > | password_expires_at | None                             |
>      > +---------------------+----------------------------------+
>      > $ openstack user create --password foo user2
>      > +---------------------+----------------------------------+
>      > | Field               | Value                            |
>      > +---------------------+----------------------------------+
>      > | domain_id           | default                          |
>      > | enabled             | True                             |
>      > | id                  | be9f1061a5104abd834eabe98dff055d |
>      > | name                | user2                            |
>      > | options             | {}                               |
>      > | password_expires_at | None                             |
>      > +---------------------+----------------------------------+
>      > $ openstack project create project1
>      > +-------------+----------------------------------+
>      > | Field       | Value                            |
>      > +-------------+----------------------------------+
>      > | description |                                  |
>      > | domain_id   | default                          |
>      > | enabled     | True                             |
>      > | id          | 826876d6d3724018bae6253c7f540cb3 |
>      > | is_domain   | False                            |
>      > | name        | project1                         |
>      > | parent_id   | default                          |
>      > | tags        | []                               |
>      > +-------------+----------------------------------+
>      > $ openstack project create project2
>      > +-------------+----------------------------------+
>      > | Field       | Value                            |
>      > +-------------+----------------------------------+
>      > | description |                                  |
>      > | domain_id   | default                          |
>      > | enabled     | True                             |
>      > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
>      > | is_domain   | False                            |
>      > | name        | project2                         |
>      > | parent_id   | default                          |
>      > | tags        | []                               |
>      > +-------------+----------------------------------+
>      > $ openstack role add --user user1 --project project1 _member_
>      > $ openstack role add --user user2 --project project2 _member_
>      > $ export OS_PASSWORD=foo
>      > $ export OS_USERNAME=user1
>      > $ export OS_PROJECT_NAME=project1
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > +--------------------------------------+--------+--------+
>      > $ openstack image create --private image1
>      >
> +------------------+------------------------------------------------------------------------------+
>      > | Field            | Value
>      >                          |
>      >
> +------------------+------------------------------------------------------------------------------+
>      > | checksum         | None
>      >                          |
>      > | container_format | bare
>      >                          |
>      > | created_at       | 2018-10-18T22:17:41Z
>      >                          |
>      > | disk_format      | raw
>      >                          |
>      > | file             |
>      > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>      >     |
>      > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>      >                          |
>      > | min_disk         | 0
>      >                          |
>      > | min_ram          | 0
>      >                          |
>      > | name             | image1
>      >                          |
>      > | owner            | 826876d6d3724018bae6253c7f540cb3
>      >                          |
>      > | properties       | locations='[]', os_hash_algo='None',
>      > os_hash_value='None', os_hidden='False' |
>      > | protected        | False
>      >                          |
>      > | schema           | /v2/schemas/image
>      >                          |
>      > | size             | None
>      >                          |
>      > | status           | queued
>      >                          |
>      > | tags             |
>      >                          |
>      > | updated_at       | 2018-10-18T22:17:41Z
>      >                          |
>      > | virtual_size     | None
>      >                          |
>      > | visibility       | private
>      >                          |
>      >
> +------------------+------------------------------------------------------------------------------+
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>      > +--------------------------------------+--------+--------+
>      > $ export OS_USERNAME=user2
>      > $ export OS_PROJECT_NAME=project2
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > +--------------------------------------+--------+--------+
>      > $ export OS_USERNAME=admin
>      > $ export OS_PROJECT_NAME=admin
>      > $ export OS_PASSWORD=xxx
>      > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>      > $ export OS_USERNAME=user2
>      > $ export OS_PROJECT_NAME=project2
>      > $ export OS_PASSWORD=foo
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>      > +--------------------------------------+--------+--------+
>      > $
>      >
>      >
>      > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      > INTEGRA, INC.] wrote:
>      >> openstack user create --domain default --password xxxxxxxx
> --project-domain
>      >> ndc --project test mike
>      >>
>      >>
>      >> openstack role add --user mike --user-domain default --project
> test user
>      >>
>      >> my admin account is in the NDC domain with a different username.
>      >>
>      >>
>      >>
>      >> /etc/glance/policy.json
>      >> {
>      >>
>      >> "context_is_admin":  "role:admin",
>      >> "default": "role:admin",
>      >>
>      >> <snip>
>      >>
>      >>
>      >> I'm not terribly familiar with the policies but I feel like that
> default
>      >> line is making everyone an admin by default?
>      >>
>      >>
>      >> Mike Moore, M.S.S.E.
>      >>
>      >> Systems Engineer, Goddard Private Cloud
>      >> [hidden email]
>      >>
>      >> Hydrogen fusion brightens my day.
>      >>
>      >>
>      >> On 10/18/18, 6:25 PM, "iain MacDonnell"
> <[hidden email]> wrote:
>      >>
>      >>
>      >> I suspect that your non-admin user is not really non-admin. How
> did you
>      >> create it?
>      >>
>      >> What you have for "context_is_admin" in glance's policy.json ?
>      >>
>      >>  ~iain
>      >>
>      >>
>      >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      >> INTEGRA, INC.] wrote:
>      >>> I have replicated this unexpected behavior in a Pike test
> environment, in
>      >>> addition to our Queens environment.
>      >>>
>      >>>
>      >>>
>      >>> Mike Moore, M.S.S.E.
>      >>>
>      >>> Systems Engineer, Goddard Private Cloud
>      >>> [hidden email]
>      >>>
>      >>> Hydrogen fusion brightens my day.
>      >>>
>      >>>
>      >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
> (GSFC-720.0)[BUSINESS INTEGRA,
>      >>> INC.]" <[hidden email]> wrote:
>      >>>
>      >>>    Yes. I verified it by creating a non-admin user in a
> different tenant. I
>      >>>    created a new image, set to private with the project defined
> as our admin
>      >>>    tenant.
>      >>>
>      >>>    In the database I can see that the image is 'private' and
> the owner is the
>      >>>    ID of the admin tenant.
>      >>>
>      >>>    Mike Moore, M.S.S.E.
>      >>>
>      >>>    Systems Engineer, Goddard Private Cloud
>      >>>    [hidden email]
>      >>>
>      >>>    Hydrogen fusion brightens my day.
>      >>>
>      >>>
>      >>>    On 10/18/18, 1:07 AM, "iain MacDonnell"
> <[hidden email]> wrote:
>      >>>
>      >>>
>      >>>
>      >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
>      >>>        INTEGRA, INC.] wrote:
>      >>>        > I’m seeing unexpected behavior in our Queens
> environment related to
>      >>>        > Glance image visibility. Specifically users who, based
> on my
>      >>>        > understanding of the visibility and ownership fields,
> should NOT be able
>      >>>        > to see or view the image.
>      >>>        >
>      >>>        > If I create a new image with openstack image create
> and specify –project
>      >>>        > <tenant> and –private a non-admin user in a different
> tenant can see and
>      >>>        > boot that image.
>      >>>        >
>      >>>        > That seems to be the opposite of what should happen.
> Any ideas?
>      >>>
>      >>>        Yep, something's not right there.
>      >>>
>      >>>        Are you sure that the user that can see the image
> doesn't have the admin
>      >>>        role (for the project in its keystone token) ?
>      >>>
>      >>>        Did you verify that the image's owner is what you
> intended, and that the
>      >>>        visibility really is "private" ?
>      >>>
>      >>>             ~iain
>      >>>
>      >>>        _______________________________________________
>      >>>        OpenStack-operators mailing list
>      >>>        [hidden email]
>      >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >>>
>      >>>
>      >>>    _______________________________________________
>      >>>    OpenStack-operators mailing list
>      >>>    [hidden email]
>      >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      > _______________________________________________
>      > OpenStack-operators mailing list
>      > [hidden email]
>      >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 13
> Date: Fri, 19 Oct 2018 16:54:12 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: Chris Apsey <[hidden email]>, iain MacDonnell
>          <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
>
> For reference, here is our full glance policy.json
>
>
> {
>      "context_is_admin":  "role:admin",
>      "default": "role:admin",
>
>      "add_image": "",
>      "delete_image": "",
>      "get_image": "",
>      "get_images": "",
>      "modify_image": "",
>      "publicize_image": "role:admin",
>      "communitize_image": "",
>      "copy_from": "",
>
>      "download_image": "",
>      "upload_image": "",
>
>      "delete_image_location": "",
>      "get_image_location": "",
>      "set_image_location": "",
>
>      "add_member": "",
>      "delete_member": "",
>      "get_member": "",
>      "get_members": "",
>      "modify_member": "",
>
>      "manage_image_cache": "role:admin",
>
>      "get_task": "",
>      "get_tasks": "",
>      "add_task": "",
>      "modify_task": "",
>      "tasks_api_access": "role:admin",
>
>      "deactivate": "",
>      "reactivate": "",
>
>      "get_metadef_namespace": "",
>      "get_metadef_namespaces":"",
>      "modify_metadef_namespace":"",
>      "add_metadef_namespace":"",
>
>      "get_metadef_object":"",
>      "get_metadef_objects":"",
>      "modify_metadef_object":"",
>      "add_metadef_object":"",
>
>      "list_metadef_resource_types":"",
>      "get_metadef_resource_type":"",
>      "add_metadef_resource_type_association":"",
>
>      "get_metadef_property":"",
>      "get_metadef_properties":"",
>      "modify_metadef_property":"",
>      "add_metadef_property":"",
>
>      "get_metadef_tag":"",
>      "get_metadef_tags":"",
>      "modify_metadef_tag":"",
>      "add_metadef_tag":"",
>      "add_metadef_tags":""
>
> }
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>
>      Our NDC domain is LDAP backed. Default is not.
>
>      Our keystone policy.json file is empty {}
>
>
>
>      Mike Moore, M.S.S.E.
>
>      Systems Engineer, Goddard Private Cloud
>      [hidden email]
>
>      Hydrogen fusion brightens my day.
>
>
>      On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
>
>          We are using multiple keystone domains - still can't reproduce
> this.
>
>          Do you happen to have a customized keystone policy.json?
>
>          Worst case, I would launch a devstack of your targeted
> release.  If you
>          can't reproduce the issue there, you would at least know its
> caused by a
>          nonstandard config rather than a bug (or at least not a bug
> that's present
>          when using a default config)
>
>          On October 18, 2018 18:50:12 iain MacDonnell
> <[hidden email]>
>          wrote:
>
>          > That all looks fine.
>          >
>          > I believe that the "default" policy applies in place of any
> that's not
>          > explicitly specified - i.e. "if there's no matching policy
> below, you
>          > need to have the admin role to be able to do it". I do have
> that line in
>          > my policy.json, and I cannot reproduce your problem (see below).
>          >
>          > I'm not using domains (other than "default"). I wonder if
> that's a factor...
>          >
>          >     ~iain
>          >
>          >
>          > $ openstack user create --password foo user1
>          > +---------------------+----------------------------------+
>          > | Field               | Value                            |
>          > +---------------------+----------------------------------+
>          > | domain_id           | default                          |
>          > | enabled             | True                             |
>          > | id                  | d18c0031ec56430499a2d690cb1f125c |
>          > | name                | user1                            |
>          > | options             | {}                               |
>          > | password_expires_at | None                             |
>          > +---------------------+----------------------------------+
>          > $ openstack user create --password foo user2
>          > +---------------------+----------------------------------+
>          > | Field               | Value                            |
>          > +---------------------+----------------------------------+
>          > | domain_id           | default                          |
>          > | enabled             | True                             |
>          > | id                  | be9f1061a5104abd834eabe98dff055d |
>          > | name                | user2                            |
>          > | options             | {}                               |
>          > | password_expires_at | None                             |
>          > +---------------------+----------------------------------+
>          > $ openstack project create project1
>          > +-------------+----------------------------------+
>          > | Field       | Value                            |
>          > +-------------+----------------------------------+
>          > | description |                                  |
>          > | domain_id   | default                          |
>          > | enabled     | True                             |
>          > | id          | 826876d6d3724018bae6253c7f540cb3 |
>          > | is_domain   | False                            |
>          > | name        | project1                         |
>          > | parent_id   | default                          |
>          > | tags        | []                               |
>          > +-------------+----------------------------------+
>          > $ openstack project create project2
>          > +-------------+----------------------------------+
>          > | Field       | Value                            |
>          > +-------------+----------------------------------+
>          > | description |                                  |
>          > | domain_id   | default                          |
>          > | enabled     | True                             |
>          > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
>          > | is_domain   | False                            |
>          > | name        | project2                         |
>          > | parent_id   | default                          |
>          > | tags        | []                               |
>          > +-------------+----------------------------------+
>          > $ openstack role add --user user1 --project project1 _member_
>          > $ openstack role add --user user2 --project project2 _member_
>          > $ export OS_PASSWORD=foo
>          > $ export OS_USERNAME=user1
>          > $ export OS_PROJECT_NAME=project1
>          > $ openstack image list
>          > +--------------------------------------+--------+--------+
>          > | ID                                   | Name   | Status |
>          > +--------------------------------------+--------+--------+
>          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>          > +--------------------------------------+--------+--------+
>          > $ openstack image create --private image1
>          >
> +------------------+------------------------------------------------------------------------------+
>          > | Field            | Value
>          >                          |
>          >
> +------------------+------------------------------------------------------------------------------+
>          > | checksum         | None
>          >                          |
>          > | container_format | bare
>          >                          |
>          > | created_at       | 2018-10-18T22:17:41Z
>          >                          |
>          > | disk_format      | raw
>          >                          |
>          > | file             |
>          > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>          >     |
>          > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>          >                          |
>          > | min_disk         | 0
>          >                          |
>          > | min_ram          | 0
>          >                          |
>          > | name             | image1
>          >                          |
>          > | owner            | 826876d6d3724018bae6253c7f540cb3
>          >                          |
>          > | properties       | locations='[]', os_hash_algo='None',
>          > os_hash_value='None', os_hidden='False' |
>          > | protected        | False
>          >                          |
>          > | schema           | /v2/schemas/image
>          >                          |
>          > | size             | None
>          >                          |
>          > | status           | queued
>          >                          |
>          > | tags             |
>          >                          |
>          > | updated_at       | 2018-10-18T22:17:41Z
>          >                          |
>          > | virtual_size     | None
>          >                          |
>          > | visibility       | private
>          >                          |
>          >
> +------------------+------------------------------------------------------------------------------+
>          > $ openstack image list
>          > +--------------------------------------+--------+--------+
>          > | ID                                   | Name   | Status |
>          > +--------------------------------------+--------+--------+
>          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>          > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>          > +--------------------------------------+--------+--------+
>          > $ export OS_USERNAME=user2
>          > $ export OS_PROJECT_NAME=project2
>          > $ openstack image list
>          > +--------------------------------------+--------+--------+
>          > | ID                                   | Name   | Status |
>          > +--------------------------------------+--------+--------+
>          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>          > +--------------------------------------+--------+--------+
>          > $ export OS_USERNAME=admin
>          > $ export OS_PROJECT_NAME=admin
>          > $ export OS_PASSWORD=xxx
>          > $ openstack image set --public
> 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>          > $ export OS_USERNAME=user2
>          > $ export OS_PROJECT_NAME=project2
>          > $ export OS_PASSWORD=foo
>          > $ openstack image list
>          > +--------------------------------------+--------+--------+
>          > | ID                                   | Name   | Status |
>          > +--------------------------------------+--------+--------+
>          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>          > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>          > +--------------------------------------+--------+--------+
>          > $
>          >
>          >
>          > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>          > INTEGRA, INC.] wrote:
>          >> openstack user create --domain default --password xxxxxxxx
> --project-domain
>          >> ndc --project test mike
>          >>
>          >>
>          >> openstack role add --user mike --user-domain default
> --project test user
>          >>
>          >> my admin account is in the NDC domain with a different username.
>          >>
>          >>
>          >>
>          >> /etc/glance/policy.json
>          >> {
>          >>
>          >> "context_is_admin":  "role:admin",
>          >> "default": "role:admin",
>          >>
>          >> <snip>
>          >>
>          >>
>          >> I'm not terribly familiar with the policies but I feel like
> that default
>          >> line is making everyone an admin by default?
>          >>
>          >>
>          >> Mike Moore, M.S.S.E.
>          >>
>          >> Systems Engineer, Goddard Private Cloud
>          >> [hidden email]
>          >>
>          >> Hydrogen fusion brightens my day.
>          >>
>          >>
>          >> On 10/18/18, 6:25 PM, "iain MacDonnell"
> <[hidden email]> wrote:
>          >>
>          >>
>          >> I suspect that your non-admin user is not really non-admin.
> How did you
>          >> create it?
>          >>
>          >> What you have for "context_is_admin" in glance's policy.json ?
>          >>
>          >>  ~iain
>          >>
>          >>
>          >> On 10/18/2018 03:11 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
>          >> INTEGRA, INC.] wrote:
>          >>> I have replicated this unexpected behavior in a Pike test
> environment, in
>          >>> addition to our Queens environment.
>          >>>
>          >>>
>          >>>
>          >>> Mike Moore, M.S.S.E.
>          >>>
>          >>> Systems Engineer, Goddard Private Cloud
>          >>> [hidden email]
>          >>>
>          >>> Hydrogen fusion brightens my day.
>          >>>
>          >>>
>          >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
> (GSFC-720.0)[BUSINESS INTEGRA,
>          >>> INC.]" <[hidden email]> wrote:
>          >>>
>          >>>    Yes. I verified it by creating a non-admin user in a
> different tenant. I
>          >>>    created a new image, set to private with the project
> defined as our admin
>          >>>    tenant.
>          >>>
>          >>>    In the database I can see that the image is 'private'
> and the owner is the
>          >>>    ID of the admin tenant.
>          >>>
>          >>>    Mike Moore, M.S.S.E.
>          >>>
>          >>>    Systems Engineer, Goddard Private Cloud
>          >>>    [hidden email]
>          >>>
>          >>>    Hydrogen fusion brightens my day.
>          >>>
>          >>>
>          >>>    On 10/18/18, 1:07 AM, "iain MacDonnell"
> <[hidden email]> wrote:
>          >>>
>          >>>
>          >>>
>          >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
>          >>>        INTEGRA, INC.] wrote:
>          >>>        > I’m seeing unexpected behavior in our Queens
> environment related to
>          >>>        > Glance image visibility. Specifically users who,
> based on my
>          >>>        > understanding of the visibility and ownership
> fields, should NOT be able
>          >>>        > to see or view the image.
>          >>>        >
>          >>>        > If I create a new image with openstack image
> create and specify –project
>          >>>        > <tenant> and –private a non-admin user in a
> different tenant can see and
>          >>>        > boot that image.
>          >>>        >
>          >>>        > That seems to be the opposite of what should
> happen. Any ideas?
>          >>>
>          >>>        Yep, something's not right there.
>          >>>
>          >>>        Are you sure that the user that can see the image
> doesn't have the admin
>          >>>        role (for the project in its keystone token) ?
>          >>>
>          >>>        Did you verify that the image's owner is what you
> intended, and that the
>          >>>        visibility really is "private" ?
>          >>>
>          >>>             ~iain
>          >>>
>          >>>        _______________________________________________
>          >>>        OpenStack-operators mailing list
>          >>>        [hidden email]
>          >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>          >>>
>          >>>
>          >>>    _______________________________________________
>          >>>    OpenStack-operators mailing list
>          >>>    [hidden email]
>          >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>          >
>          > _______________________________________________
>          > OpenStack-operators mailing list
>          > [hidden email]
>          >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>      _______________________________________________
>      OpenStack-operators mailing list
>      [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
> ------------------------------
>
> Message: 14
> Date: Fri, 19 Oct 2018 13:45:03 -0400
> From: Jay Pipes <[hidden email]>
> To: [hidden email]
> Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
>          1.1 released
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Please do not use these mailing lists to advertise
> closed-source/proprietary software solutions.
>
> Thank you,
> -jay
>
> On 10/19/2018 05:42 AM, Adrian Andreias wrote:
>> Hello,
>>
>> We've just released Fleio version 1.1.
>>
>> Fleio is a billing solution and control panel for OpenStack public
>> clouds and traditional web hosters.
>>
>> Fleio software automates the entire process for cloud users. New
>> customers can use Fleio to sign up for an account, pay invoices, add
>> credit to their account, as well as create and manage cloud resources
>> such as virtual machines, storage and networking.
>>
>> Full feature list:
>> https://fleio.com#features 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
>>
>> You can see an online demo:
>> https://fleio.com/demo 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
>>
>> And sign-up for a free trial:
>> https://fleio.com/signup 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
>>
>>
>>
>> Cheers!
>>
>> - Adrian Andreias
>> https://fleio.com 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
>>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>
>
>
> ------------------------------
>
> Message: 15
> Date: Fri, 19 Oct 2018 20:13:40 +0200
> From: Mohammed Naser <[hidden email]>
> To: [hidden email]
> Cc: openstack-operators <[hidden email]>
> Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
>          1.1     released
> Message-ID:
>          
> <[hidden email]>
> Content-Type: text/plain; charset="UTF-8"
>
> On Fri, Oct 19, 2018 at 7:45 PM Jay Pipes <[hidden email]> wrote:
>>
>> Please do not use these mailing lists to advertise
>> closed-source/proprietary software solutions.
>
> +1
>
>> Thank you,
>> -jay
>>
>> On 10/19/2018 05:42 AM, Adrian Andreias wrote:
>> > Hello,
>> >
>> > We've just released Fleio version 1.1.
>> >
>> > Fleio is a billing solution and control panel for OpenStack public
>> > clouds and traditional web hosters.
>> >
>> > Fleio software automates the entire process for cloud users. New
>> > customers can use Fleio to sign up for an account, pay invoices, add
>> > credit to their account, as well as create and manage cloud resources
>> > such as virtual machines, storage and networking.
>> >
>> > Full feature list:
>> > https://fleio.com#features 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
>> >
>> > You can see an online demo:
>> > https://fleio.com/demo 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
>> >
>> > And sign-up for a free trial:
>> > https://fleio.com/signup 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
>> >
>> >
>> >
>> > Cheers!
>> >
>> > - Adrian Andreias
>> > https://fleio.com 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
>> >
>> >
>> >
>> > _______________________________________________
>> > OpenStack-operators mailing list
>> > [hidden email]
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>> >
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
> --
> Mohammed Naser — vexxhost
> -----------------------------------------------------
> D. 514-316-8872
> D. 800-910-1726 ext. 200
> E. [hidden email]
> W. http://vexxhost.com 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__vexxhost.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=bq9EPen7RattOa34V0HaOLcBDca21nN47DlkgOKUYMM&e=>
>
>
>
> ------------------------------
>
> Message: 16
> Date: Fri, 19 Oct 2018 14:39:29 -0400
> From: Erik McCormick <[hidden email]>
> To: openstack-operators <[hidden email]>
> Subject: [Openstack-operators] [Octavia] SSL errors polling amphorae
>          and     missing tenant network interface
> Message-ID:
>          
> <CAHUi5cNByYFRr4vHY9iAEhAFc=[hidden email]>
> Content-Type: text/plain; charset="UTF-8"
>
> I've been wrestling with getting Octavia up and running and have
> become stuck on two issues. I'm hoping someone has run into these
> before. My google foo has come up empty.
>
> Issue 1:
> When the Octavia controller tries to poll the amphora instance, it
> tries repeatedly and eventually fails. The error on the controller
> side is:
>
> 2018-10-19 14:17:39.181 26 ERROR
> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
> retries (currently set to 300) exhausted.  The amphora is unavailable.
> Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
> exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
> SSLError(SSLError("bad handshake: Error([('rsa routines',
> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> 'tls_process_server_certificate', 'certificate verify
> failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
> port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
> (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
> 'tls_process_server_certificate', 'certificate verify
> failed')],)",),))
>
> On the amphora side I see:
> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
> ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
> failure (_ssl.c:1754)
>
> I've generated certificates both with the script in the Octavia git
> repo, and with the Openstack Ansible playbook. I can see that they are
> present in /etc/octavia/certs.
>
> I'm using the Kolla (Queens) containers for the control plane so I'm
> sure I've satisfied all the python library constraints.
>
> Issue 2:
> I"m not sure how it gets configured, but the tenant network interface
> (ens6) never comes up. I can spawn other instances on that network
> with no issue, and I can see that Neutron has the port attached to the
> instance. However, in the instance this is all I get:
>
> ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 scope host lo
>         valid_lft forever preferred_lft forever
>      inet6 ::1/128 scope host
>         valid_lft forever preferred_lft forever
> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
> state UP group default qlen 1000
>      link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
>      inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
>         valid_lft forever preferred_lft forever
>      inet6 fe80::f816:3eff:fe30:c460/64 scope link
>         valid_lft forever preferred_lft forever
> 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
> default qlen 1000
>      link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
>
> There's no evidence of the interface anywhere else including udev rules.
>
> Any help with either or both issues would be greatly appreciated.
>
> Cheers,
> Erik
>
>
>
> ------------------------------
>
> Message: 17
> Date: Sat, 20 Oct 2018 01:47:42 +0200
> From: Gaël THEROND <[hidden email]>
> To: Erik McCormick <[hidden email]>
> Cc: openstack-operators <[hidden email]>
> Subject: Re: [Openstack-operators] [Octavia] SSL errors polling
>          amphorae and missing tenant network interface
> Message-ID:
>          
> <CAG+53ua-Hcjjq=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Hi eric!
>
> Glad I’m not the only one having this issue with the ssl communication
> between the amphora and the CP.
>
> Even if I don’t yet get a clear answer regarding that issue, I think your
> second issue is not an issue as the interface is mounted on a namespace and
> so you’ll need to list all nic even those from namespace.
>
> Use an ip netns ls to get the namespace.
>
> Hope it will help.
>
> Le ven. 19 oct. 2018 à 20:40, Erik McCormick <[hidden email]> a
> écrit :
>
>> I've been wrestling with getting Octavia up and running and have
>> become stuck on two issues. I'm hoping someone has run into these
>> before. My google foo has come up empty.
>>
>> Issue 1:
>> When the Octavia controller tries to poll the amphora instance, it
>> tries repeatedly and eventually fails. The error on the controller
>> side is:
>>
>> 2018-10-19 14:17:39.181 26 ERROR
>> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
>> retries (currently set to 300) exhausted.  The amphora is unavailable.
>> Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
>> exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
>> SSLError(SSLError("bad handshake: Error([('rsa routines',
>> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
>> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
>> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
>> 'tls_process_server_certificate', 'certificate verify
>> failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
>> port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
>> (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
>> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
>> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
>> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
>> 'tls_process_server_certificate', 'certificate verify
>> failed')],)",),))
>>
>> On the amphora side I see:
>> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
>> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
>> ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
>> failure (_ssl.c:1754)
>>
>> I've generated certificates both with the script in the Octavia git
>> repo, and with the Openstack Ansible playbook. I can see that they are
>> present in /etc/octavia/certs.
>>
>> I'm using the Kolla (Queens) containers for the control plane so I'm
>> sure I've satisfied all the python library constraints.
>>
>> Issue 2:
>> I"m not sure how it gets configured, but the tenant network interface
>> (ens6) never comes up. I can spawn other instances on that network
>> with no issue, and I can see that Neutron has the port attached to the
>> instance. However, in the instance this is all I get:
>>
>> ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
>> group default qlen 1
>>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>     inet 127.0.0.1/8 scope host lo
>>        valid_lft forever preferred_lft forever
>>     inet6 ::1/128 scope host
>>        valid_lft forever preferred_lft forever
>> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
>> state UP group default qlen 1000
>>     link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
>>     inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
>>        valid_lft forever preferred_lft forever
>>     inet6 fe80::f816:3eff:fe30:c460/64 scope link
>>        valid_lft forever preferred_lft forever
>> 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
>> default qlen 1000
>>     link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
>>
>> There's no evidence of the interface anywhere else including udev rules.
>>
>> Any help with either or both issues would be greatly appreciated.
>>
>> Cheers,
>> Erik
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181020/71c8e27a/attachment.html 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181020_71c8e27a_attachment.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=TZjVFI4W3tEBE7QxcsUIhZ92OpBCz-jlpvaQ856vmEw&e=>>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
> ------------------------------
>
> End of OpenStack-operators Digest, Vol 96, Issue 7
> **************************************************
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
>

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]
This is interesting. The "roles" field shows "user" properly for the non-admin user, and "admin" for the admin users.

Nothing in our output for `openstack --debug token issue` shows "is_admin_project"

My colleague did find logs in Keystone are showing is_admin_project: True on his non-admin user that is only a "user" according to the roles field in a token issue test.

We're wondering if it's not a glance issue but a keystone issue/misconfiguration


Mike Moore, M.S.S.E.
 
Systems Engineer, Goddard Private Cloud
[hidden email]
 
Hydrogen fusion brightens my day.
 

On 10/23/18, 7:50 PM, "iain MacDonnell" <[hidden email]> wrote:

   
    It (still) seems like there's something funky about admin/non-admin in
    your case.
   
    You could try "openstack --debug token issue" (in the admin and
    non-admin cases), and examine the token dict that gets output. Look for
    the "roles" list and "is_admin_project".
   
         ~iain
   
   
   
    On 10/23/2018 03:21 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    INTEGRA, INC.] wrote:
    > We have submitted a bug for this
    >
    > https://bugs.launchpad.net/glance/+bug/1799588 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_glance_-2Bbug_1799588&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=Mn2Mcb1CalyYcrdw2IZaS_mFLxT867ZjLCtchHttbP0&e=>
    >
    > Mike Moore, M.S.S.E.
    >
    > Systems Engineer, Goddard Private Cloud
    >
    > [hidden email] <mailto:[hidden email]>
    >
    > **
    >
    > Hydrogen fusion brightens my day.
    >
    > *From: *"Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    > <[hidden email]>
    > *Date: *Saturday, October 20, 2018 at 7:22 PM
    > *To: *Logan Hicks <[hidden email]>,
    > "[hidden email]"
    > <[hidden email]>
    > *Subject: *Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
    > Issue 7
    >
    > The images exist and are bootable. I'm going to trace through the actual
    > code for glance API. Any suggestions on where the show/hide logic is
    > when it filters responses? I'm new to digging through OpenStack code.
    >
    > ------------------------------------------------------------------------
    >
    > *From:*Logan Hicks [[hidden email]]
    > *Sent:* Friday, October 19, 2018 8:00 PM
    > *To:* [hidden email]
    > *Subject:* Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
    > Issue 7
    >
    > Re: Glance Image Visibility Issue? - Non  admin users can see
    >        private images from other tenants (Chris Apsey)
    >
    > I noticed that the image says queued. If Im not mistaken, an image cant
    > have permissions applied until after the image is created, which might
    > explain the issue hes seeing.
    >
    > The object doesnt exist until its made by openstack.
    >
    > Id check to see if something is holding up images being made. Id start
    > with glance.
    >
    > Respectfully,
    >
    > Logan Hicks
    >
    > -------- Original message --------
    >
    > From: [hidden email]
    >
    > Date: 10/19/18 7:49 PM (GMT-05:00)
    >
    > To: [hidden email]
    >
    > Subject: OpenStack-operators Digest, Vol 96, Issue 7
    >
    > Send OpenStack-operators mailing list submissions to
    >          [hidden email]
    >
    > To subscribe or unsubscribe via the World Wide Web, visit
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    > or, via email, send a message with subject or body 'help' to
    >          [hidden email]
    >
    > You can reach the person managing the list at
    >          [hidden email]
    >
    > When replying, please edit your Subject line so it is more specific
    > than "Re: Contents of OpenStack-operators digest..."
    >
    >
    > Today's Topics:
    >
    >     1. [nova] Removing the CachingScheduler (Matt Riedemann)
    >     2. Re: Glance Image Visibility Issue? - Non admin users can see
    >        private images from other tenants
    >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
    >     3. Re: Glance Image Visibility Issue? - Non  admin users can see
    >        private images from other tenants (Chris Apsey)
    >     4. Re: Glance Image Visibility Issue? - Non admin users can see
    >        private images from other tenants (iain MacDonnell)
    >     5. Re: Glance Image Visibility Issue? - Non admin users can see
    >        private images from other tenants
    >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
    >     6. Re: Glance Image Visibility Issue? - Non admin users can see
    >        private images from other tenants (iain MacDonnell)
    >     7. Re: Glance Image Visibility Issue? - Non  admin users can see
    >        private images from other tenants (Chris Apsey)
    >     8. osops-tools-monitoring Dependency problems (Tomáš Vondra)
    >     9. [heat][cinder] How to create stack snapshot       including volumes
    >        (Christian Zunker)
    >    10. Fleio - OpenStack billing - ver. 1.1 released (Adrian Andreias)
    >    11. Re: [Openstack-sigs] [all] Naming the T   release of OpenStack
    >        (Tony Breeds)
    >    12. Re: Glance Image Visibility Issue? - Non admin users can see
    >        private images from other tenants
    >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
    >    13. Re: Glance Image Visibility Issue? - Non admin users can see
    >        private images from other tenants
    >        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
    >    14. Re: Fleio - OpenStack billing - ver. 1.1 released (Jay Pipes)
    >    15. Re: Fleio - OpenStack billing - ver. 1.1  released (Mohammed Naser)
    >    16. [Octavia] SSL errors polling amphorae and missing tenant
    >        network interface (Erik McCormick)
    >    17. Re: [Octavia] SSL errors polling amphorae and missing tenant
    >        network interface (Gaël THEROND)
    >
    >
    > ----------------------------------------------------------------------
    >
    > Message: 1
    > Date: Thu, 18 Oct 2018 17:07:00 -0500
    > From: Matt Riedemann <[hidden email]>
    > To: "[hidden email]"
    >          <[hidden email]>
    > Subject: [Openstack-operators] [nova] Removing the CachingScheduler
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset=utf-8; format=flowed
    >
    > It's been deprecated since Pike, and the time has come to remove it [1].
    >
    > mgagne has been the most vocal CachingScheduler operator I know and he
    > has tested out the "nova-manage placement heal_allocations" CLI, added
    > in Rocky, and said it will work for migrating his deployment from the
    > CachingScheduler to the FilterScheduler + Placement.
    >
    > If you are using the CachingScheduler and have a problem with its
    > removal, now is the time to speak up or forever hold your peace.
    >
    > [1] https://review.openstack.org/#/c/611723/1 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611723_1&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=CcuJbm96l8_bk_DdPB0xbW_A31hIN4eTR0nqDeQk4kM&e=>
    >
    > --
    >
    > Thanks,
    >
    > Matt
    >
    >
    >
    > ------------------------------
    >
    > Message: 2
    > Date: Thu, 18 Oct 2018 22:11:40 +0000
    > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    >          <[hidden email]>
    > To: iain MacDonnell <[hidden email]>,
    >          "[hidden email]"
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non admin users can see private images from other tenants
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    > I have replicated this unexpected behavior in a Pike test environment,
    > in addition to our Queens environment.
    >
    >
    >
    > Mike Moore, M.S.S.E.
    >
    > Systems Engineer, Goddard Private Cloud
    > [hidden email]
    >
    > Hydrogen fusion brightens my day.
    >
    >
    > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.]" <[hidden email]> wrote:
    >
    >      Yes. I verified it by creating a non-admin user in a different
    > tenant. I created a new image, set to private with the project defined
    > as our admin tenant.
    >
    >      In the database I can see that the image is 'private' and the owner
    > is the ID of the admin tenant.
    >
    >      Mike Moore, M.S.S.E.
    >
    >      Systems Engineer, Goddard Private Cloud
    >      [hidden email]
    >
    >      Hydrogen fusion brightens my day.
    >
    >
    >      On 10/18/18, 1:07 AM, "iain MacDonnell"
    > <[hidden email]> wrote:
    >
    >
    >
    >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >          INTEGRA, INC.] wrote:
    >          > I’m seeing unexpected behavior in our Queens environment
    > related to
    >          > Glance image visibility. Specifically users who, based on my
    >          > understanding of the visibility and ownership fields, should
    > NOT be able
    >          > to see or view the image.
    >          >
    >          > If I create a new image with openstack image create and
    > specify –project
    >          > <tenant> and –private a non-admin user in a different tenant
    > can see and
    >          > boot that image.
    >          >
    >          > That seems to be the opposite of what should happen. Any ideas?
    >
    >          Yep, something's not right there.
    >
    >          Are you sure that the user that can see the image doesn't have
    > the admin
    >          role (for the project in its keystone token) ?
    >
    >          Did you verify that the image's owner is what you intended, and
    > that the
    >          visibility really is "private" ?
    >
    >               ~iain
    >
    >          _______________________________________________
    >          OpenStack-operators mailing list
    >          [hidden email]
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >      _______________________________________________
    >      OpenStack-operators mailing list
    >      [hidden email]
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >
    > ------------------------------
    >
    > Message: 3
    > Date: Thu, 18 Oct 2018 18:23:35 -0400
    > From: Chris Apsey <[hidden email]>
    > To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    >          <[hidden email]>, iain MacDonnell
    >          <[hidden email]>,
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non     admin users can see private images from other tenants
    > Message-ID:
    >          <[hidden email]>
    > Content-Type: text/plain; format=flowed; charset="UTF-8"
    >
    > Do you have a liberal/custom policy.json that perhaps is causing unexpected
    > behavior?  Can't seem to reproduce this.
    >
    > On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.]" <[hidden email]> wrote:
    >
    >> I have replicated this unexpected behavior in a Pike test environment, in
    >> addition to our Queens environment.
    >>
    >>
    >>
    >> Mike Moore, M.S.S.E.
    >>
    >> Systems Engineer, Goddard Private Cloud
    >> [hidden email]
    >>
    >> Hydrogen fusion brightens my day.
    >>
    >>
    >> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
    >> INC.]" <[hidden email]> wrote:
    >>
    >>    Yes. I verified it by creating a non-admin user in a different tenant. I
    >>    created a new image, set to private with the project defined as our admin
    >>    tenant.
    >>
    >>    In the database I can see that the image is 'private' and the owner is the
    >>    ID of the admin tenant.
    >>
    >>    Mike Moore, M.S.S.E.
    >>
    >>    Systems Engineer, Goddard Private Cloud
    >>    [hidden email]
    >>
    >>    Hydrogen fusion brightens my day.
    >>
    >>
    >>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >>
    >>
    >>
    >>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>        INTEGRA, INC.] wrote:
    >>> I’m seeing unexpected behavior in our Queens environment related to
    >>> Glance image visibility. Specifically users who, based on my
    >>> understanding of the visibility and ownership fields, should NOT be able
    >>> to see or view the image.
    >>>
    >>> If I create a new image with openstack image create and specify –project
    >>> <tenant> and –private a non-admin user in a different tenant can see and
    >>> boot that image.
    >>>
    >>> That seems to be the opposite of what should happen. Any ideas?
    >>
    >>        Yep, something's not right there.
    >>
    >>        Are you sure that the user that can see the image doesn't have the admin
    >>        role (for the project in its keystone token) ?
    >>
    >>        Did you verify that the image's owner is what you intended, and that the
    >>        visibility really is "private" ?
    >>
    >>             ~iain
    >>
    >>        _______________________________________________
    >>        OpenStack-operators mailing list
    >>        [hidden email]
    >>        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >>
    >>
    >>    _______________________________________________
    >>    OpenStack-operators mailing list
    >>    [hidden email]
    >>    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >>
    >>
    >> _______________________________________________
    >> OpenStack-operators mailing list
    >> [hidden email]
    >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >
    >
    >
    >
    > ------------------------------
    >
    > Message: 4
    > Date: Thu, 18 Oct 2018 15:25:22 -0700
    > From: iain MacDonnell <[hidden email]>
    > To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    >          <[hidden email]>,
    > "[hidden email]"
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non admin users can see private images from other tenants
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset=utf-8; format=flowed
    >
    >
    > I suspect that your non-admin user is not really non-admin. How did you
    > create it?
    >
    > What you have for "context_is_admin" in glance's policy.json ?
    >
    >       ~iain
    >
    >
    > On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.] wrote:
    >> I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
    >>
    >>
    >>
    >> Mike Moore, M.S.S.E.
    >>  
    >> Systems Engineer, Goddard Private Cloud
    >> [hidden email]
    >>  
    >> Hydrogen fusion brightens my day.
    >>  
    >>
    >> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
    >>
    >>      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
    >>      
    >>      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
    >>      
    >>      Mike Moore, M.S.S.E.
    >>      
    >>      Systems Engineer, Goddard Private Cloud
    >>      [hidden email]
    >>      
    >>      Hydrogen fusion brightens my day.
    >>      
    >>      
    >>      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >>      
    >>          
    >>          
    >>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>          INTEGRA, INC.] wrote:
    >>          > I’m seeing unexpected behavior in our Queens environment related to
    >>          > Glance image visibility. Specifically users who, based on my
    >>          > understanding of the visibility and ownership fields, should NOT be able
    >>          > to see or view the image.
    >>          >
    >>          > If I create a new image with openstack image create and specify –project
    >>          > <tenant> and –private a non-admin user in a different tenant can see and
    >>          > boot that image.
    >>          >
    >>          > That seems to be the opposite of what should happen. Any ideas?
    >>          
    >>          Yep, something's not right there.
    >>          
    >>          Are you sure that the user that can see the image doesn't have the admin
    >>          role (for the project in its keystone token) ?
    >>          
    >>          Did you verify that the image's owner is what you intended, and that the
    >>          visibility really is "private" ?
    >>          
    >>               ~iain
    >>          
    >>          _______________________________________________
    >>          OpenStack-operators mailing list
    >>          [hidden email]
    >>          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>          
    >>      
    >>      _______________________________________________
    >>      OpenStack-operators mailing list
    >>      [hidden email]
    >>      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>      
    >>
    >
    >
    >
    > ------------------------------
    >
    > Message: 5
    > Date: Thu, 18 Oct 2018 22:32:42 +0000
    > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    >          <[hidden email]>
    > To: iain MacDonnell <[hidden email]>,
    >          "[hidden email]"
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non admin users can see private images from other tenants
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    > openstack user create --domain default --password xxxxxxxx
    > --project-domain ndc --project test mike
    >
    >
    > openstack role add --user mike --user-domain default --project test user
    >
    > my admin account is in the NDC domain with a different username.
    >
    >
    >
    > /etc/glance/policy.json
    > {
    >
    > "context_is_admin":  "role:admin",
    > "default": "role:admin",
    >
    > <snip>
    >
    >
    > I'm not terribly familiar with the policies but I feel like that default
    > line is making everyone an admin by default?
    >
    >
    > Mike Moore, M.S.S.E.
    >
    > Systems Engineer, Goddard Private Cloud
    > [hidden email]
    >
    > Hydrogen fusion brightens my day.
    >
    >
    > On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
    >
    >
    >      I suspect that your non-admin user is not really non-admin. How did
    > you
    >      create it?
    >
    >      What you have for "context_is_admin" in glance's policy.json ?
    >
    >           ~iain
    >
    >
    >      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >      INTEGRA, INC.] wrote:
    >      > I have replicated this unexpected behavior in a Pike test
    > environment, in addition to our Queens environment.
    >      >
    >      >
    >      >
    >      > Mike Moore, M.S.S.E.
    >      >
    >      > Systems Engineer, Goddard Private Cloud
    >      > [hidden email]
    >      >
    >      > Hydrogen fusion brightens my day.
    >      >
    >      >
    >      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.]" <[hidden email]> wrote:
    >      >
    >      >      Yes. I verified it by creating a non-admin user in a
    > different tenant. I created a new image, set to private with the project
    > defined as our admin tenant.
    >      >
    >      >      In the database I can see that the image is 'private' and
    > the owner is the ID of the admin tenant.
    >      >
    >      >      Mike Moore, M.S.S.E.
    >      >
    >      >      Systems Engineer, Goddard Private Cloud
    >      >      [hidden email]
    >      >
    >      >      Hydrogen fusion brightens my day.
    >      >
    >      >
    >      >      On 10/18/18, 1:07 AM, "iain MacDonnell"
    > <[hidden email]> wrote:
    >      >
    >      >
    >      >
    >      >          On 10/17/2018 12:29 PM, Moore, Michael Dane
    > (GSFC-720.0)[BUSINESS
    >      >          INTEGRA, INC.] wrote:
    >      >          > I’m seeing unexpected behavior in our Queens
    > environment related to
    >      >          > Glance image visibility. Specifically users who, based
    > on my
    >      >          > understanding of the visibility and ownership fields,
    > should NOT be able
    >      >          > to see or view the image.
    >      >          >
    >      >          > If I create a new image with openstack image create
    > and specify –project
    >      >          > <tenant> and –private a non-admin user in a different
    > tenant can see and
    >      >          > boot that image.
    >      >          >
    >      >          > That seems to be the opposite of what should happen.
    > Any ideas?
    >      >
    >      >          Yep, something's not right there.
    >      >
    >      >          Are you sure that the user that can see the image
    > doesn't have the admin
    >      >          role (for the project in its keystone token) ?
    >      >
    >      >          Did you verify that the image's owner is what you
    > intended, and that the
    >      >          visibility really is "private" ?
    >      >
    >      >               ~iain
    >      >
    >      >          _______________________________________________
    >      >          OpenStack-operators mailing list
    >      >          [hidden email]
    >      >
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >      >
    >      >
    >      >      _______________________________________________
    >      >      OpenStack-operators mailing list
    >      >      [hidden email]
    >      >
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >      >
    >      >
    >
    >
    >
    > ------------------------------
    >
    > Message: 6
    > Date: Thu, 18 Oct 2018 15:48:27 -0700
    > From: iain MacDonnell <[hidden email]>
    > To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    >          <[hidden email]>,
    > "[hidden email]"
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non admin users can see private images from other tenants
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset=utf-8; format=flowed
    >
    >
    > That all looks fine.
    >
    > I believe that the "default" policy applies in place of any that's not
    > explicitly specified - i.e. "if there's no matching policy below, you
    > need to have the admin role to be able to do it". I do have that line in
    > my policy.json, and I cannot reproduce your problem (see below).
    >
    > I'm not using domains (other than "default"). I wonder if that's a factor...
    >
    >       ~iain
    >
    >
    > $ openstack user create --password foo user1
    > +---------------------+----------------------------------+
    > | Field               | Value                            |
    > +---------------------+----------------------------------+
    > | domain_id           | default                          |
    > | enabled             | True                             |
    > | id                  | d18c0031ec56430499a2d690cb1f125c |
    > | name                | user1                            |
    > | options             | {}                               |
    > | password_expires_at | None                             |
    > +---------------------+----------------------------------+
    > $ openstack user create --password foo user2
    > +---------------------+----------------------------------+
    > | Field               | Value                            |
    > +---------------------+----------------------------------+
    > | domain_id           | default                          |
    > | enabled             | True                             |
    > | id                  | be9f1061a5104abd834eabe98dff055d |
    > | name                | user2                            |
    > | options             | {}                               |
    > | password_expires_at | None                             |
    > +---------------------+----------------------------------+
    > $ openstack project create project1
    > +-------------+----------------------------------+
    > | Field       | Value                            |
    > +-------------+----------------------------------+
    > | description |                                  |
    > | domain_id   | default                          |
    > | enabled     | True                             |
    > | id          | 826876d6d3724018bae6253c7f540cb3 |
    > | is_domain   | False                            |
    > | name        | project1                         |
    > | parent_id   | default                          |
    > | tags        | []                               |
    > +-------------+----------------------------------+
    > $ openstack project create project2
    > +-------------+----------------------------------+
    > | Field       | Value                            |
    > +-------------+----------------------------------+
    > | description |                                  |
    > | domain_id   | default                          |
    > | enabled     | True                             |
    > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
    > | is_domain   | False                            |
    > | name        | project2                         |
    > | parent_id   | default                          |
    > | tags        | []                               |
    > +-------------+----------------------------------+
    > $ openstack role add --user user1 --project project1 _member_
    > $ openstack role add --user user2 --project project2 _member_
    > $ export OS_PASSWORD=foo
    > $ export OS_USERNAME=user1
    > $ export OS_PROJECT_NAME=project1
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > +--------------------------------------+--------+--------+
    > $ openstack image create --private image1
    > +------------------+------------------------------------------------------------------------------+
    > | Field            | Value
    >                            |
    > +------------------+------------------------------------------------------------------------------+
    > | checksum         | None
    >                            |
    > | container_format | bare
    >                            |
    > | created_at       | 2018-10-18T22:17:41Z
    >                            |
    > | disk_format      | raw
    >                            |
    > | file             |
    > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
    >       |
    > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >                            |
    > | min_disk         | 0
    >                            |
    > | min_ram          | 0
    >                            |
    > | name             | image1
    >                            |
    > | owner            | 826876d6d3724018bae6253c7f540cb3
    >                            |
    > | properties       | locations='[]', os_hash_algo='None',
    > os_hash_value='None', os_hidden='False' |
    > | protected        | False
    >                            |
    > | schema           | /v2/schemas/image
    >                            |
    > | size             | None
    >                            |
    > | status           | queued
    >                            |
    > | tags             |
    >                            |
    > | updated_at       | 2018-10-18T22:17:41Z
    >                            |
    > | virtual_size     | None
    >                            |
    > | visibility       | private
    >                            |
    > +------------------+------------------------------------------------------------------------------+
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    > +--------------------------------------+--------+--------+
    > $ export OS_USERNAME=user2
    > $ export OS_PROJECT_NAME=project2
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > +--------------------------------------+--------+--------+
    > $ export OS_USERNAME=admin
    > $ export OS_PROJECT_NAME=admin
    > $ export OS_PASSWORD=xxx
    > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    > $ export OS_USERNAME=user2
    > $ export OS_PROJECT_NAME=project2
    > $ export OS_PASSWORD=foo
    > $ openstack image list
    > +--------------------------------------+--------+--------+
    > | ID                                   | Name   | Status |
    > +--------------------------------------+--------+--------+
    > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    > +--------------------------------------+--------+--------+
    > $
    >
    >
    > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.] wrote:
    >> openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
    >>
    >>
    >> openstack role add --user mike --user-domain default --project test user
    >>
    >> my admin account is in the NDC domain with a different username.
    >>
    >>
    >>
    >> /etc/glance/policy.json
    >> {
    >>
    >> "context_is_admin":  "role:admin",
    >> "default": "role:admin",
    >>
    >> <snip>
    >>
    >>
    >> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?
    >>
    >>
    >> Mike Moore, M.S.S.E.
    >>  
    >> Systems Engineer, Goddard Private Cloud
    >> [hidden email]
    >>  
    >> Hydrogen fusion brightens my day.
    >>  
    >>
    >> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
    >>
    >>      
    >>      I suspect that your non-admin user is not really non-admin. How did you
    >>      create it?
    >>      
    >>      What you have for "context_is_admin" in glance's policy.json ?
    >>      
    >>           ~iain
    >>      
    >>      
    >>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>      INTEGRA, INC.] wrote:
    >>      > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
    >>      >
    >>      >
    >>      >
    >>      > Mike Moore, M.S.S.E.
    >>      >
    >>      > Systems Engineer, Goddard Private Cloud
    >>      > [hidden email]
    >>      >
    >>      > Hydrogen fusion brightens my day.
    >>      >
    >>      >
    >>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
    >>      >
    >>      >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
    >>      >
    >>      >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
    >>      >
    >>      >      Mike Moore, M.S.S.E.
    >>      >
    >>      >      Systems Engineer, Goddard Private Cloud
    >>      >      [hidden email]
    >>      >
    >>      >      Hydrogen fusion brightens my day.
    >>      >
    >>      >
    >>      >      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >>      >
    >>      >
    >>      >
    >>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>      >          INTEGRA, INC.] wrote:
    >>      >          > I’m seeing unexpected behavior in our Queens environment related to
    >>      >          > Glance image visibility. Specifically users who, based on my
    >>      >          > understanding of the visibility and ownership fields, should NOT be able
    >>      >          > to see or view the image.
    >>      >          >
    >>      >          > If I create a new image with openstack image create and specify –project
    >>      >          > <tenant> and –private a non-admin user in a different tenant can see and
    >>      >          > boot that image.
    >>      >          >
    >>      >          > That seems to be the opposite of what should happen. Any ideas?
    >>      >
    >>      >          Yep, something's not right there.
    >>      >
    >>      >          Are you sure that the user that can see the image doesn't have the admin
    >>      >          role (for the project in its keystone token) ?
    >>      >
    >>      >          Did you verify that the image's owner is what you intended, and that the
    >>      >          visibility really is "private" ?
    >>      >
    >>      >               ~iain
    >>      >
    >>      >          _______________________________________________
    >>      >          OpenStack-operators mailing list
    >>      >          [hidden email]
    >>      >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>      >
    >>      >
    >>      >      _______________________________________________
    >>      >      OpenStack-operators mailing list
    >>      >      [hidden email]
    >>      >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>      >
    >>      >
    >>      
    >>
    >
    >
    >
    > ------------------------------
    >
    > Message: 7
    > Date: Thu, 18 Oct 2018 19:23:42 -0400
    > From: Chris Apsey <[hidden email]>
    > To: iain MacDonnell <[hidden email]>, "Moore, Michael Dane
    >          (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]>,
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non     admin users can see private images from other tenants
    > Message-ID:
    >          <[hidden email]>
    > Content-Type: text/plain; format=flowed; charset="UTF-8"
    >
    > We are using multiple keystone domains - still can't reproduce this.
    >
    > Do you happen to have a customized keystone policy.json?
    >
    > Worst case, I would launch a devstack of your targeted release.  If you
    > can't reproduce the issue there, you would at least know its caused by a
    > nonstandard config rather than a bug (or at least not a bug that's present
    > when using a default config)
    >
    > On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
    > wrote:
    >
    >> That all looks fine.
    >>
    >> I believe that the "default" policy applies in place of any that's not
    >> explicitly specified - i.e. "if there's no matching policy below, you
    >> need to have the admin role to be able to do it". I do have that line in
    >> my policy.json, and I cannot reproduce your problem (see below).
    >>
    >> I'm not using domains (other than "default"). I wonder if that's a factor...
    >>
    >>     ~iain
    >>
    >>
    >> $ openstack user create --password foo user1
    >> +---------------------+----------------------------------+
    >> | Field               | Value                            |
    >> +---------------------+----------------------------------+
    >> | domain_id           | default                          |
    >> | enabled             | True                             |
    >> | id                  | d18c0031ec56430499a2d690cb1f125c |
    >> | name                | user1                            |
    >> | options             | {}                               |
    >> | password_expires_at | None                             |
    >> +---------------------+----------------------------------+
    >> $ openstack user create --password foo user2
    >> +---------------------+----------------------------------+
    >> | Field               | Value                            |
    >> +---------------------+----------------------------------+
    >> | domain_id           | default                          |
    >> | enabled             | True                             |
    >> | id                  | be9f1061a5104abd834eabe98dff055d |
    >> | name                | user2                            |
    >> | options             | {}                               |
    >> | password_expires_at | None                             |
    >> +---------------------+----------------------------------+
    >> $ openstack project create project1
    >> +-------------+----------------------------------+
    >> | Field       | Value                            |
    >> +-------------+----------------------------------+
    >> | description |                                  |
    >> | domain_id   | default                          |
    >> | enabled     | True                             |
    >> | id          | 826876d6d3724018bae6253c7f540cb3 |
    >> | is_domain   | False                            |
    >> | name        | project1                         |
    >> | parent_id   | default                          |
    >> | tags        | []                               |
    >> +-------------+----------------------------------+
    >> $ openstack project create project2
    >> +-------------+----------------------------------+
    >> | Field       | Value                            |
    >> +-------------+----------------------------------+
    >> | description |                                  |
    >> | domain_id   | default                          |
    >> | enabled     | True                             |
    >> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
    >> | is_domain   | False                            |
    >> | name        | project2                         |
    >> | parent_id   | default                          |
    >> | tags        | []                               |
    >> +-------------+----------------------------------+
    >> $ openstack role add --user user1 --project project1 _member_
    >> $ openstack role add --user user2 --project project2 _member_
    >> $ export OS_PASSWORD=foo
    >> $ export OS_USERNAME=user1
    >> $ export OS_PROJECT_NAME=project1
    >> $ openstack image list
    >> +--------------------------------------+--------+--------+
    >> | ID                                   | Name   | Status |
    >> +--------------------------------------+--------+--------+
    >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >> +--------------------------------------+--------+--------+
    >> $ openstack image create --private image1
    >> +------------------+------------------------------------------------------------------------------+
    >> | Field            | Value
    >>                          |
    >> +------------------+------------------------------------------------------------------------------+
    >> | checksum         | None
    >>                          |
    >> | container_format | bare
    >>                          |
    >> | created_at       | 2018-10-18T22:17:41Z
    >>                          |
    >> | disk_format      | raw
    >>                          |
    >> | file             |
    >> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
    >>     |
    >> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >>                          |
    >> | min_disk         | 0
    >>                          |
    >> | min_ram          | 0
    >>                          |
    >> | name             | image1
    >>                          |
    >> | owner            | 826876d6d3724018bae6253c7f540cb3
    >>                          |
    >> | properties       | locations='[]', os_hash_algo='None',
    >> os_hash_value='None', os_hidden='False' |
    >> | protected        | False
    >>                          |
    >> | schema           | /v2/schemas/image
    >>                          |
    >> | size             | None
    >>                          |
    >> | status           | queued
    >>                          |
    >> | tags             |
    >>                          |
    >> | updated_at       | 2018-10-18T22:17:41Z
    >>                          |
    >> | virtual_size     | None
    >>                          |
    >> | visibility       | private
    >>                          |
    >> +------------------+------------------------------------------------------------------------------+
    >> $ openstack image list
    >> +--------------------------------------+--------+--------+
    >> | ID                                   | Name   | Status |
    >> +--------------------------------------+--------+--------+
    >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    >> +--------------------------------------+--------+--------+
    >> $ export OS_USERNAME=user2
    >> $ export OS_PROJECT_NAME=project2
    >> $ openstack image list
    >> +--------------------------------------+--------+--------+
    >> | ID                                   | Name   | Status |
    >> +--------------------------------------+--------+--------+
    >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >> +--------------------------------------+--------+--------+
    >> $ export OS_USERNAME=admin
    >> $ export OS_PROJECT_NAME=admin
    >> $ export OS_PASSWORD=xxx
    >> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >> $ export OS_USERNAME=user2
    >> $ export OS_PROJECT_NAME=project2
    >> $ export OS_PASSWORD=foo
    >> $ openstack image list
    >> +--------------------------------------+--------+--------+
    >> | ID                                   | Name   | Status |
    >> +--------------------------------------+--------+--------+
    >> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    >> +--------------------------------------+--------+--------+
    >> $
    >>
    >>
    >> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >> INTEGRA, INC.] wrote:
    >>> openstack user create --domain default --password xxxxxxxx --project-domain
    >>> ndc --project test mike
    >>>
    >>>
    >>> openstack role add --user mike --user-domain default --project test user
    >>>
    >>> my admin account is in the NDC domain with a different username.
    >>>
    >>>
    >>>
    >>> /etc/glance/policy.json
    >>> {
    >>>
    >>> "context_is_admin":  "role:admin",
    >>> "default": "role:admin",
    >>>
    >>> <snip>
    >>>
    >>>
    >>> I'm not terribly familiar with the policies but I feel like that default
    >>> line is making everyone an admin by default?
    >>>
    >>>
    >>> Mike Moore, M.S.S.E.
    >>>
    >>> Systems Engineer, Goddard Private Cloud
    >>> [hidden email]
    >>>
    >>> Hydrogen fusion brightens my day.
    >>>
    >>>
    >>> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
    >>>
    >>>
    >>> I suspect that your non-admin user is not really non-admin. How did you
    >>> create it?
    >>>
    >>> What you have for "context_is_admin" in glance's policy.json ?
    >>>
    >>>  ~iain
    >>>
    >>>
    >>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>> INTEGRA, INC.] wrote:
    >>>> I have replicated this unexpected behavior in a Pike test environment, in
    >>>> addition to our Queens environment.
    >>>>
    >>>>
    >>>>
    >>>> Mike Moore, M.S.S.E.
    >>>>
    >>>> Systems Engineer, Goddard Private Cloud
    >>>> [hidden email]
    >>>>
    >>>> Hydrogen fusion brightens my day.
    >>>>
    >>>>
    >>>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
    >>>> INC.]" <[hidden email]> wrote:
    >>>>
    >>>>    Yes. I verified it by creating a non-admin user in a different tenant. I
    >>>>    created a new image, set to private with the project defined as our admin
    >>>>    tenant.
    >>>>
    >>>>    In the database I can see that the image is 'private' and the owner is the
    >>>>    ID of the admin tenant.
    >>>>
    >>>>    Mike Moore, M.S.S.E.
    >>>>
    >>>>    Systems Engineer, Goddard Private Cloud
    >>>>    [hidden email]
    >>>>
    >>>>    Hydrogen fusion brightens my day.
    >>>>
    >>>>
    >>>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
    >>>>
    >>>>
    >>>>
    >>>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >>>>        INTEGRA, INC.] wrote:
    >>>>        > I’m seeing unexpected behavior in our Queens environment related to
    >>>>        > Glance image visibility. Specifically users who, based on my
    >>>>        > understanding of the visibility and ownership fields, should NOT be able
    >>>>        > to see or view the image.
    >>>>        >
    >>>>        > If I create a new image with openstack image create and specify –project
    >>>>        > <tenant> and –private a non-admin user in a different tenant can see and
    >>>>        > boot that image.
    >>>>        >
    >>>>        > That seems to be the opposite of what should happen. Any ideas?
    >>>>
    >>>>        Yep, something's not right there.
    >>>>
    >>>>        Are you sure that the user that can see the image doesn't have the admin
    >>>>        role (for the project in its keystone token) ?
    >>>>
    >>>>        Did you verify that the image's owner is what you intended, and that the
    >>>>        visibility really is "private" ?
    >>>>
    >>>>             ~iain
    >>>>
    >>>>        _______________________________________________
    >>>>        OpenStack-operators mailing list
    >>>>        [hidden email]
    >>>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>>>
    >>>>
    >>>>    _______________________________________________
    >>>>    OpenStack-operators mailing list
    >>>>    [hidden email]
    >>>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >>
    >> _______________________________________________
    >> OpenStack-operators mailing list
    >> [hidden email]
    >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >
    >
    >
    >
    > ------------------------------
    >
    > Message: 8
    > Date: Fri, 19 Oct 2018 10:58:30 +0200
    > From: Tomáš Vondra <[hidden email]>
    > To: <[hidden email]>
    > Subject: [Openstack-operators] osops-tools-monitoring Dependency
    >          problems
    > Message-ID: <049e01d46789$e8bf5220$ba3df660$@homeatcloud.cz>
    > Content-Type: text/plain;       charset="iso-8859-2"
    >
    > Hi!
    > I'm a long time user of monitoring-for-openstack, also known as oschecks.
    > Concretely, I used a version from 2015 with OpenStack python client
    > libraries from Kilo. Now I have upgraded them to Mitaka and it got broken.
    > Even the latest oschecks don't work. I didn't quite expect that, given that
    > there are several commits from this year e.g. by Nagasai Vinaykumar
    > Kapalavai and paramite. Can one of them or some other user step up and say
    > what version of OpenStack clients is oschecks working with? Ideally, write
    > it down in requirements.txt so that it will be reproducible? Also, some
    > documentation of what is the minimal set of parameters would also come in
    > handy.
    > Thanks a lot, Tomas from Homeatcloud
    >
    > The error messages are as absurd as:
    > oschecks-check_glance_api --os_auth_url='http://10.1.101.30:5000/v2.0 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.1.101.30-3A5000_v2.0&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=_OahSWkou5-POtvp2P_0PQEAtRXnl_2ry82DIo_ygQ4&e=>'
    > --os_username=monitoring --os_password=XXX --os_tenant_name=monitoring
    >
    > CRITICAL: Traceback (most recent call last):
    >    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 121, in
    > safe_run
    >      method()
    >    File "/usr/lib/python2.7/dist-packages/oschecks/glance.py", line 29, in
    > _check_glance_api
    >      glance = utils.Glance()
    >    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 177, in
    > __init__
    >      self.glance.parser = self.glance.get_base_parser(sys.argv)
    > TypeError: get_base_parser() takes exactly 1 argument (2 given)
    >
    > (I can see 4 parameters on the command line.)
    >
    >
    >
    >
    > ------------------------------
    >
    > Message: 9
    > Date: Fri, 19 Oct 2018 11:21:25 +0200
    > From: Christian Zunker <[hidden email]>
    > To: openstack-operators <[hidden email]>
    > Subject: [Openstack-operators] [heat][cinder] How to create stack
    >          snapshot        including volumes
    > Message-ID:
    >          
    > <CAHS=[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    > Hi List,
    >
    > I'd like to take snapshots of heat stacks including the volumes.
    >>From what I found until now, this should be possible. You just have to
    > configure some parts of OpenStack.
    >
    > I enabled cinder-backup with ceph backend. Backups from volumes are working.
    > I configured heat to include the option backups_enabled = True.
    >
    > When I use openstack stack snapshot create, I get a snapshot but no backups
    > of my volumes. I don't get any error messages in heat. Debug logging didn't
    > help either.
    >
    > OpenStack version is Pike on Ubuntu installed with openstack-ansible.
    > heat version is 9.0.3. So this should also include this bugfix:
    > https://bugs.launchpad.net/heat/+bug/1687006 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_heat_-2Bbug_1687006&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=GveynPsCtRgNf5xllOIdz2Y5eNCZAvn4B9xEtzLDi1A&e=>
    >
    > Is anybody using this feature? What am I missing?
    >
    > Best regards
    > Christian
    > -------------- next part --------------
    > An HTML attachment was scrubbed...
    > URL:
    > <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/bb7dd81b/attachment-0001.html 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_bb7dd81b_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=YCjjLeySrbifzs2-92NmaHNUG4DFb6Ps4CpFzjdo0ts&e=>>
    >
    > ------------------------------
    >
    > Message: 10
    > Date: Fri, 19 Oct 2018 12:42:00 +0300
    > From: Adrian Andreias <[hidden email]>
    > To: [hidden email]
    > Subject: [Openstack-operators] Fleio - OpenStack billing - ver. 1.1
    >          released
    > Message-ID:
    >          
    > <CACp-FE3gEP=nwXRtwy-H13qXrnhPa5bn0uWiukxWp=[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    > Hello,
    >
    > We've just released Fleio version 1.1.
    >
    > Fleio is a billing solution and control panel for OpenStack public clouds
    > and traditional web hosters.
    >
    > Fleio software automates the entire process for cloud users. New customers
    > can use Fleio to sign up for an account, pay invoices, add credit to their
    > account, as well as create and manage cloud resources such as virtual
    > machines, storage and networking.
    >
    > Full feature list:
    > https://fleio.com#features 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
    >
    > You can see an online demo:
    > https://fleio.com/demo 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
    >
    > And sign-up for a free trial:
    > https://fleio.com/signup 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
    >
    >
    >
    > Cheers!
    >
    > - Adrian Andreias
    > https://fleio.com 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
    > -------------- next part --------------
    > An HTML attachment was scrubbed...
    > URL:
    > <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/3031e47f/attachment-0001.html 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_3031e47f_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=JCagcM_ZjfKNMy6hUc9mScnVifU3IZVyccED28OEhpA&e=>>
    >
    > ------------------------------
    >
    > Message: 11
    > Date: Fri, 19 Oct 2018 20:54:29 +1100
    > From: Tony Breeds <[hidden email]>
    > To: OpenStack Development <[hidden email]>,
    >          OpenStack SIGs <[hidden email]>, OpenStack
    >          Operators <[hidden email]>
    > Subject: Re: [Openstack-operators] [Openstack-sigs] [all] Naming the T
    >          release of OpenStack
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    > On Thu, Oct 18, 2018 at 05:35:39PM +1100, Tony Breeds wrote:
    >> Hello all,
    >>     As per [1] the nomination period for names for the T release have
    >> now closed (actually 3 days ago sorry).  The nominated names and any
    >> qualifying remarks can be seen at2].
    >>
    >> Proposed Names
    >>  * Tarryall
    >>  * Teakettle
    >>  * Teller
    >>  * Telluride
    >>  * Thomas
    >>  * Thornton
    >>  * Tiger
    >>  * Tincup
    >>  * Timnath
    >>  * Timber
    >>  * Tiny Town
    >>  * Torreys
    >>  * Trail
    >>  * Trinidad
    >>  * Treasure
    >>  * Troublesome
    >>  * Trussville
    >>  * Turret
    >>  * Tyrone
    >>
    >> Proposed Names that do not meet the criteria
    >>  * Train
    >
    > I have re-worked my openstack/governance change[1] to ask the TC to accept
    > adding Train to the poll as (partially) described in [2].
    >
    > I present the names above to the community and Foundation marketing team
    > for consideration.  The list above does contain Train, clearly if the TC
    > do not approve [1] Train will not be included in the poll when created.
    >
    > I apologise for any offence or slight caused by my previous email in
    > this thread.  It was well intentioned albeit, with hindsight, poorly
    > thought through.
    >
    > Yours Tony.
    >
    > [1] https://review.openstack.org/#/c/611511/ 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611511_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=cRWATGRCwFhRInCOOTmTaFGPvMXWXznOs1-pnONNMvA&e=>
    > [2]
    > https://governance.openstack.org/tc/reference/release-naming.html#release-name-criteria 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__governance.openstack.org_tc_reference_release-2Dnaming.html-23release-2Dname-2Dcriteria&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=ORBvxW9YNjEKlSx6vbG0BIAOLa6sDtdIw1oWC8aGyvA&e=>
    > -------------- next part --------------
    > A non-text attachment was scrubbed...
    > Name: signature.asc
    > Type: application/pgp-signature
    > Size: 488 bytes
    > Desc: not available
    > URL:
    > <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/49c95d5d/attachment-0001.sig 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_49c95d5d_attachment-2D0001.sig&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=jMzO0p4dD0TpgnxO_HTziQRuWfGZJz4W1oPgADf0iw0&e=>>
    >
    > ------------------------------
    >
    > Message: 12
    > Date: Fri, 19 Oct 2018 16:33:17 +0000
    > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    >          <[hidden email]>
    > To: Chris Apsey <[hidden email]>, iain MacDonnell
    >          <[hidden email]>,
    >          "[hidden email]"
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non admin users can see private images from other tenants
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    > Our NDC domain is LDAP backed. Default is not.
    >
    > Our keystone policy.json file is empty {}
    >
    >
    >
    > Mike Moore, M.S.S.E.
    >
    > Systems Engineer, Goddard Private Cloud
    > [hidden email]
    >
    > Hydrogen fusion brightens my day.
    >
    >
    > On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
    >
    >      We are using multiple keystone domains - still can't reproduce this.
    >
    >      Do you happen to have a customized keystone policy.json?
    >
    >      Worst case, I would launch a devstack of your targeted release.  If
    > you
    >      can't reproduce the issue there, you would at least know its caused
    > by a
    >      nonstandard config rather than a bug (or at least not a bug that's
    > present
    >      when using a default config)
    >
    >      On October 18, 2018 18:50:12 iain MacDonnell
    > <[hidden email]>
    >      wrote:
    >
    >      > That all looks fine.
    >      >
    >      > I believe that the "default" policy applies in place of any
    > that's not
    >      > explicitly specified - i.e. "if there's no matching policy below, you
    >      > need to have the admin role to be able to do it". I do have that
    > line in
    >      > my policy.json, and I cannot reproduce your problem (see below).
    >      >
    >      > I'm not using domains (other than "default"). I wonder if that's
    > a factor...
    >      >
    >      >     ~iain
    >      >
    >      >
    >      > $ openstack user create --password foo user1
    >      > +---------------------+----------------------------------+
    >      > | Field               | Value                            |
    >      > +---------------------+----------------------------------+
    >      > | domain_id           | default                          |
    >      > | enabled             | True                             |
    >      > | id                  | d18c0031ec56430499a2d690cb1f125c |
    >      > | name                | user1                            |
    >      > | options             | {}                               |
    >      > | password_expires_at | None                             |
    >      > +---------------------+----------------------------------+
    >      > $ openstack user create --password foo user2
    >      > +---------------------+----------------------------------+
    >      > | Field               | Value                            |
    >      > +---------------------+----------------------------------+
    >      > | domain_id           | default                          |
    >      > | enabled             | True                             |
    >      > | id                  | be9f1061a5104abd834eabe98dff055d |
    >      > | name                | user2                            |
    >      > | options             | {}                               |
    >      > | password_expires_at | None                             |
    >      > +---------------------+----------------------------------+
    >      > $ openstack project create project1
    >      > +-------------+----------------------------------+
    >      > | Field       | Value                            |
    >      > +-------------+----------------------------------+
    >      > | description |                                  |
    >      > | domain_id   | default                          |
    >      > | enabled     | True                             |
    >      > | id          | 826876d6d3724018bae6253c7f540cb3 |
    >      > | is_domain   | False                            |
    >      > | name        | project1                         |
    >      > | parent_id   | default                          |
    >      > | tags        | []                               |
    >      > +-------------+----------------------------------+
    >      > $ openstack project create project2
    >      > +-------------+----------------------------------+
    >      > | Field       | Value                            |
    >      > +-------------+----------------------------------+
    >      > | description |                                  |
    >      > | domain_id   | default                          |
    >      > | enabled     | True                             |
    >      > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
    >      > | is_domain   | False                            |
    >      > | name        | project2                         |
    >      > | parent_id   | default                          |
    >      > | tags        | []                               |
    >      > +-------------+----------------------------------+
    >      > $ openstack role add --user user1 --project project1 _member_
    >      > $ openstack role add --user user2 --project project2 _member_
    >      > $ export OS_PASSWORD=foo
    >      > $ export OS_USERNAME=user1
    >      > $ export OS_PROJECT_NAME=project1
    >      > $ openstack image list
    >      > +--------------------------------------+--------+--------+
    >      > | ID                                   | Name   | Status |
    >      > +--------------------------------------+--------+--------+
    >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >      > +--------------------------------------+--------+--------+
    >      > $ openstack image create --private image1
    >      >
    > +------------------+------------------------------------------------------------------------------+
    >      > | Field            | Value
    >      >                          |
    >      >
    > +------------------+------------------------------------------------------------------------------+
    >      > | checksum         | None
    >      >                          |
    >      > | container_format | bare
    >      >                          |
    >      > | created_at       | 2018-10-18T22:17:41Z
    >      >                          |
    >      > | disk_format      | raw
    >      >                          |
    >      > | file             |
    >      > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
    >      >     |
    >      > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >      >                          |
    >      > | min_disk         | 0
    >      >                          |
    >      > | min_ram          | 0
    >      >                          |
    >      > | name             | image1
    >      >                          |
    >      > | owner            | 826876d6d3724018bae6253c7f540cb3
    >      >                          |
    >      > | properties       | locations='[]', os_hash_algo='None',
    >      > os_hash_value='None', os_hidden='False' |
    >      > | protected        | False
    >      >                          |
    >      > | schema           | /v2/schemas/image
    >      >                          |
    >      > | size             | None
    >      >                          |
    >      > | status           | queued
    >      >                          |
    >      > | tags             |
    >      >                          |
    >      > | updated_at       | 2018-10-18T22:17:41Z
    >      >                          |
    >      > | virtual_size     | None
    >      >                          |
    >      > | visibility       | private
    >      >                          |
    >      >
    > +------------------+------------------------------------------------------------------------------+
    >      > $ openstack image list
    >      > +--------------------------------------+--------+--------+
    >      > | ID                                   | Name   | Status |
    >      > +--------------------------------------+--------+--------+
    >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    >      > +--------------------------------------+--------+--------+
    >      > $ export OS_USERNAME=user2
    >      > $ export OS_PROJECT_NAME=project2
    >      > $ openstack image list
    >      > +--------------------------------------+--------+--------+
    >      > | ID                                   | Name   | Status |
    >      > +--------------------------------------+--------+--------+
    >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >      > +--------------------------------------+--------+--------+
    >      > $ export OS_USERNAME=admin
    >      > $ export OS_PROJECT_NAME=admin
    >      > $ export OS_PASSWORD=xxx
    >      > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >      > $ export OS_USERNAME=user2
    >      > $ export OS_PROJECT_NAME=project2
    >      > $ export OS_PASSWORD=foo
    >      > $ openstack image list
    >      > +--------------------------------------+--------+--------+
    >      > | ID                                   | Name   | Status |
    >      > +--------------------------------------+--------+--------+
    >      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    >      > +--------------------------------------+--------+--------+
    >      > $
    >      >
    >      >
    >      > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >      > INTEGRA, INC.] wrote:
    >      >> openstack user create --domain default --password xxxxxxxx
    > --project-domain
    >      >> ndc --project test mike
    >      >>
    >      >>
    >      >> openstack role add --user mike --user-domain default --project
    > test user
    >      >>
    >      >> my admin account is in the NDC domain with a different username.
    >      >>
    >      >>
    >      >>
    >      >> /etc/glance/policy.json
    >      >> {
    >      >>
    >      >> "context_is_admin":  "role:admin",
    >      >> "default": "role:admin",
    >      >>
    >      >> <snip>
    >      >>
    >      >>
    >      >> I'm not terribly familiar with the policies but I feel like that
    > default
    >      >> line is making everyone an admin by default?
    >      >>
    >      >>
    >      >> Mike Moore, M.S.S.E.
    >      >>
    >      >> Systems Engineer, Goddard Private Cloud
    >      >> [hidden email]
    >      >>
    >      >> Hydrogen fusion brightens my day.
    >      >>
    >      >>
    >      >> On 10/18/18, 6:25 PM, "iain MacDonnell"
    > <[hidden email]> wrote:
    >      >>
    >      >>
    >      >> I suspect that your non-admin user is not really non-admin. How
    > did you
    >      >> create it?
    >      >>
    >      >> What you have for "context_is_admin" in glance's policy.json ?
    >      >>
    >      >>  ~iain
    >      >>
    >      >>
    >      >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >      >> INTEGRA, INC.] wrote:
    >      >>> I have replicated this unexpected behavior in a Pike test
    > environment, in
    >      >>> addition to our Queens environment.
    >      >>>
    >      >>>
    >      >>>
    >      >>> Mike Moore, M.S.S.E.
    >      >>>
    >      >>> Systems Engineer, Goddard Private Cloud
    >      >>> [hidden email]
    >      >>>
    >      >>> Hydrogen fusion brightens my day.
    >      >>>
    >      >>>
    >      >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
    > (GSFC-720.0)[BUSINESS INTEGRA,
    >      >>> INC.]" <[hidden email]> wrote:
    >      >>>
    >      >>>    Yes. I verified it by creating a non-admin user in a
    > different tenant. I
    >      >>>    created a new image, set to private with the project defined
    > as our admin
    >      >>>    tenant.
    >      >>>
    >      >>>    In the database I can see that the image is 'private' and
    > the owner is the
    >      >>>    ID of the admin tenant.
    >      >>>
    >      >>>    Mike Moore, M.S.S.E.
    >      >>>
    >      >>>    Systems Engineer, Goddard Private Cloud
    >      >>>    [hidden email]
    >      >>>
    >      >>>    Hydrogen fusion brightens my day.
    >      >>>
    >      >>>
    >      >>>    On 10/18/18, 1:07 AM, "iain MacDonnell"
    > <[hidden email]> wrote:
    >      >>>
    >      >>>
    >      >>>
    >      >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
    > (GSFC-720.0)[BUSINESS
    >      >>>        INTEGRA, INC.] wrote:
    >      >>>        > I’m seeing unexpected behavior in our Queens
    > environment related to
    >      >>>        > Glance image visibility. Specifically users who, based
    > on my
    >      >>>        > understanding of the visibility and ownership fields,
    > should NOT be able
    >      >>>        > to see or view the image.
    >      >>>        >
    >      >>>        > If I create a new image with openstack image create
    > and specify –project
    >      >>>        > <tenant> and –private a non-admin user in a different
    > tenant can see and
    >      >>>        > boot that image.
    >      >>>        >
    >      >>>        > That seems to be the opposite of what should happen.
    > Any ideas?
    >      >>>
    >      >>>        Yep, something's not right there.
    >      >>>
    >      >>>        Are you sure that the user that can see the image
    > doesn't have the admin
    >      >>>        role (for the project in its keystone token) ?
    >      >>>
    >      >>>        Did you verify that the image's owner is what you
    > intended, and that the
    >      >>>        visibility really is "private" ?
    >      >>>
    >      >>>             ~iain
    >      >>>
    >      >>>        _______________________________________________
    >      >>>        OpenStack-operators mailing list
    >      >>>        [hidden email]
    >      >>>
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >      >>>
    >      >>>
    >      >>>    _______________________________________________
    >      >>>    OpenStack-operators mailing list
    >      >>>    [hidden email]
    >      >>>
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >      >
    >      > _______________________________________________
    >      > OpenStack-operators mailing list
    >      > [hidden email]
    >      >
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >
    >
    >
    >
    > ------------------------------
    >
    > Message: 13
    > Date: Fri, 19 Oct 2018 16:54:12 +0000
    > From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
    >          <[hidden email]>
    > To: Chris Apsey <[hidden email]>, iain MacDonnell
    >          <[hidden email]>,
    >          "[hidden email]"
    >          <[hidden email]>
    > Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
    >          Non admin users can see private images from other tenants
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    >
    > For reference, here is our full glance policy.json
    >
    >
    > {
    >      "context_is_admin":  "role:admin",
    >      "default": "role:admin",
    >
    >      "add_image": "",
    >      "delete_image": "",
    >      "get_image": "",
    >      "get_images": "",
    >      "modify_image": "",
    >      "publicize_image": "role:admin",
    >      "communitize_image": "",
    >      "copy_from": "",
    >
    >      "download_image": "",
    >      "upload_image": "",
    >
    >      "delete_image_location": "",
    >      "get_image_location": "",
    >      "set_image_location": "",
    >
    >      "add_member": "",
    >      "delete_member": "",
    >      "get_member": "",
    >      "get_members": "",
    >      "modify_member": "",
    >
    >      "manage_image_cache": "role:admin",
    >
    >      "get_task": "",
    >      "get_tasks": "",
    >      "add_task": "",
    >      "modify_task": "",
    >      "tasks_api_access": "role:admin",
    >
    >      "deactivate": "",
    >      "reactivate": "",
    >
    >      "get_metadef_namespace": "",
    >      "get_metadef_namespaces":"",
    >      "modify_metadef_namespace":"",
    >      "add_metadef_namespace":"",
    >
    >      "get_metadef_object":"",
    >      "get_metadef_objects":"",
    >      "modify_metadef_object":"",
    >      "add_metadef_object":"",
    >
    >      "list_metadef_resource_types":"",
    >      "get_metadef_resource_type":"",
    >      "add_metadef_resource_type_association":"",
    >
    >      "get_metadef_property":"",
    >      "get_metadef_properties":"",
    >      "modify_metadef_property":"",
    >      "add_metadef_property":"",
    >
    >      "get_metadef_tag":"",
    >      "get_metadef_tags":"",
    >      "modify_metadef_tag":"",
    >      "add_metadef_tag":"",
    >      "add_metadef_tags":""
    >
    > }
    >
    >
    > Mike Moore, M.S.S.E.
    >
    > Systems Engineer, Goddard Private Cloud
    > [hidden email]
    >
    > Hydrogen fusion brightens my day.
    >
    >
    > On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
    > INTEGRA, INC.]" <[hidden email]> wrote:
    >
    >      Our NDC domain is LDAP backed. Default is not.
    >
    >      Our keystone policy.json file is empty {}
    >
    >
    >
    >      Mike Moore, M.S.S.E.
    >
    >      Systems Engineer, Goddard Private Cloud
    >      [hidden email]
    >
    >      Hydrogen fusion brightens my day.
    >
    >
    >      On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
    >
    >          We are using multiple keystone domains - still can't reproduce
    > this.
    >
    >          Do you happen to have a customized keystone policy.json?
    >
    >          Worst case, I would launch a devstack of your targeted
    > release.  If you
    >          can't reproduce the issue there, you would at least know its
    > caused by a
    >          nonstandard config rather than a bug (or at least not a bug
    > that's present
    >          when using a default config)
    >
    >          On October 18, 2018 18:50:12 iain MacDonnell
    > <[hidden email]>
    >          wrote:
    >
    >          > That all looks fine.
    >          >
    >          > I believe that the "default" policy applies in place of any
    > that's not
    >          > explicitly specified - i.e. "if there's no matching policy
    > below, you
    >          > need to have the admin role to be able to do it". I do have
    > that line in
    >          > my policy.json, and I cannot reproduce your problem (see below).
    >          >
    >          > I'm not using domains (other than "default"). I wonder if
    > that's a factor...
    >          >
    >          >     ~iain
    >          >
    >          >
    >          > $ openstack user create --password foo user1
    >          > +---------------------+----------------------------------+
    >          > | Field               | Value                            |
    >          > +---------------------+----------------------------------+
    >          > | domain_id           | default                          |
    >          > | enabled             | True                             |
    >          > | id                  | d18c0031ec56430499a2d690cb1f125c |
    >          > | name                | user1                            |
    >          > | options             | {}                               |
    >          > | password_expires_at | None                             |
    >          > +---------------------+----------------------------------+
    >          > $ openstack user create --password foo user2
    >          > +---------------------+----------------------------------+
    >          > | Field               | Value                            |
    >          > +---------------------+----------------------------------+
    >          > | domain_id           | default                          |
    >          > | enabled             | True                             |
    >          > | id                  | be9f1061a5104abd834eabe98dff055d |
    >          > | name                | user2                            |
    >          > | options             | {}                               |
    >          > | password_expires_at | None                             |
    >          > +---------------------+----------------------------------+
    >          > $ openstack project create project1
    >          > +-------------+----------------------------------+
    >          > | Field       | Value                            |
    >          > +-------------+----------------------------------+
    >          > | description |                                  |
    >          > | domain_id   | default                          |
    >          > | enabled     | True                             |
    >          > | id          | 826876d6d3724018bae6253c7f540cb3 |
    >          > | is_domain   | False                            |
    >          > | name        | project1                         |
    >          > | parent_id   | default                          |
    >          > | tags        | []                               |
    >          > +-------------+----------------------------------+
    >          > $ openstack project create project2
    >          > +-------------+----------------------------------+
    >          > | Field       | Value                            |
    >          > +-------------+----------------------------------+
    >          > | description |                                  |
    >          > | domain_id   | default                          |
    >          > | enabled     | True                             |
    >          > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
    >          > | is_domain   | False                            |
    >          > | name        | project2                         |
    >          > | parent_id   | default                          |
    >          > | tags        | []                               |
    >          > +-------------+----------------------------------+
    >          > $ openstack role add --user user1 --project project1 _member_
    >          > $ openstack role add --user user2 --project project2 _member_
    >          > $ export OS_PASSWORD=foo
    >          > $ export OS_USERNAME=user1
    >          > $ export OS_PROJECT_NAME=project1
    >          > $ openstack image list
    >          > +--------------------------------------+--------+--------+
    >          > | ID                                   | Name   | Status |
    >          > +--------------------------------------+--------+--------+
    >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >          > +--------------------------------------+--------+--------+
    >          > $ openstack image create --private image1
    >          >
    > +------------------+------------------------------------------------------------------------------+
    >          > | Field            | Value
    >          >                          |
    >          >
    > +------------------+------------------------------------------------------------------------------+
    >          > | checksum         | None
    >          >                          |
    >          > | container_format | bare
    >          >                          |
    >          > | created_at       | 2018-10-18T22:17:41Z
    >          >                          |
    >          > | disk_format      | raw
    >          >                          |
    >          > | file             |
    >          > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
    >          >     |
    >          > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >          >                          |
    >          > | min_disk         | 0
    >          >                          |
    >          > | min_ram          | 0
    >          >                          |
    >          > | name             | image1
    >          >                          |
    >          > | owner            | 826876d6d3724018bae6253c7f540cb3
    >          >                          |
    >          > | properties       | locations='[]', os_hash_algo='None',
    >          > os_hash_value='None', os_hidden='False' |
    >          > | protected        | False
    >          >                          |
    >          > | schema           | /v2/schemas/image
    >          >                          |
    >          > | size             | None
    >          >                          |
    >          > | status           | queued
    >          >                          |
    >          > | tags             |
    >          >                          |
    >          > | updated_at       | 2018-10-18T22:17:41Z
    >          >                          |
    >          > | virtual_size     | None
    >          >                          |
    >          > | visibility       | private
    >          >                          |
    >          >
    > +------------------+------------------------------------------------------------------------------+
    >          > $ openstack image list
    >          > +--------------------------------------+--------+--------+
    >          > | ID                                   | Name   | Status |
    >          > +--------------------------------------+--------+--------+
    >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >          > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    >          > +--------------------------------------+--------+--------+
    >          > $ export OS_USERNAME=user2
    >          > $ export OS_PROJECT_NAME=project2
    >          > $ openstack image list
    >          > +--------------------------------------+--------+--------+
    >          > | ID                                   | Name   | Status |
    >          > +--------------------------------------+--------+--------+
    >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >          > +--------------------------------------+--------+--------+
    >          > $ export OS_USERNAME=admin
    >          > $ export OS_PROJECT_NAME=admin
    >          > $ export OS_PASSWORD=xxx
    >          > $ openstack image set --public
    > 6a0c1928-b79c-4dbf-a9c9-305b599056e4
    >          > $ export OS_USERNAME=user2
    >          > $ export OS_PROJECT_NAME=project2
    >          > $ export OS_PASSWORD=foo
    >          > $ openstack image list
    >          > +--------------------------------------+--------+--------+
    >          > | ID                                   | Name   | Status |
    >          > +--------------------------------------+--------+--------+
    >          > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
    >          > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
    >          > +--------------------------------------+--------+--------+
    >          > $
    >          >
    >          >
    >          > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
    >          > INTEGRA, INC.] wrote:
    >          >> openstack user create --domain default --password xxxxxxxx
    > --project-domain
    >          >> ndc --project test mike
    >          >>
    >          >>
    >          >> openstack role add --user mike --user-domain default
    > --project test user
    >          >>
    >          >> my admin account is in the NDC domain with a different username.
    >          >>
    >          >>
    >          >>
    >          >> /etc/glance/policy.json
    >          >> {
    >          >>
    >          >> "context_is_admin":  "role:admin",
    >          >> "default": "role:admin",
    >          >>
    >          >> <snip>
    >          >>
    >          >>
    >          >> I'm not terribly familiar with the policies but I feel like
    > that default
    >          >> line is making everyone an admin by default?
    >          >>
    >          >>
    >          >> Mike Moore, M.S.S.E.
    >          >>
    >          >> Systems Engineer, Goddard Private Cloud
    >          >> [hidden email]
    >          >>
    >          >> Hydrogen fusion brightens my day.
    >          >>
    >          >>
    >          >> On 10/18/18, 6:25 PM, "iain MacDonnell"
    > <[hidden email]> wrote:
    >          >>
    >          >>
    >          >> I suspect that your non-admin user is not really non-admin.
    > How did you
    >          >> create it?
    >          >>
    >          >> What you have for "context_is_admin" in glance's policy.json ?
    >          >>
    >          >>  ~iain
    >          >>
    >          >>
    >          >> On 10/18/2018 03:11 PM, Moore, Michael Dane
    > (GSFC-720.0)[BUSINESS
    >          >> INTEGRA, INC.] wrote:
    >          >>> I have replicated this unexpected behavior in a Pike test
    > environment, in
    >          >>> addition to our Queens environment.
    >          >>>
    >          >>>
    >          >>>
    >          >>> Mike Moore, M.S.S.E.
    >          >>>
    >          >>> Systems Engineer, Goddard Private Cloud
    >          >>> [hidden email]
    >          >>>
    >          >>> Hydrogen fusion brightens my day.
    >          >>>
    >          >>>
    >          >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
    > (GSFC-720.0)[BUSINESS INTEGRA,
    >          >>> INC.]" <[hidden email]> wrote:
    >          >>>
    >          >>>    Yes. I verified it by creating a non-admin user in a
    > different tenant. I
    >          >>>    created a new image, set to private with the project
    > defined as our admin
    >          >>>    tenant.
    >          >>>
    >          >>>    In the database I can see that the image is 'private'
    > and the owner is the
    >          >>>    ID of the admin tenant.
    >          >>>
    >          >>>    Mike Moore, M.S.S.E.
    >          >>>
    >          >>>    Systems Engineer, Goddard Private Cloud
    >          >>>    [hidden email]
    >          >>>
    >          >>>    Hydrogen fusion brightens my day.
    >          >>>
    >          >>>
    >          >>>    On 10/18/18, 1:07 AM, "iain MacDonnell"
    > <[hidden email]> wrote:
    >          >>>
    >          >>>
    >          >>>
    >          >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
    > (GSFC-720.0)[BUSINESS
    >          >>>        INTEGRA, INC.] wrote:
    >          >>>        > I’m seeing unexpected behavior in our Queens
    > environment related to
    >          >>>        > Glance image visibility. Specifically users who,
    > based on my
    >          >>>        > understanding of the visibility and ownership
    > fields, should NOT be able
    >          >>>        > to see or view the image.
    >          >>>        >
    >          >>>        > If I create a new image with openstack image
    > create and specify –project
    >          >>>        > <tenant> and –private a non-admin user in a
    > different tenant can see and
    >          >>>        > boot that image.
    >          >>>        >
    >          >>>        > That seems to be the opposite of what should
    > happen. Any ideas?
    >          >>>
    >          >>>        Yep, something's not right there.
    >          >>>
    >          >>>        Are you sure that the user that can see the image
    > doesn't have the admin
    >          >>>        role (for the project in its keystone token) ?
    >          >>>
    >          >>>        Did you verify that the image's owner is what you
    > intended, and that the
    >          >>>        visibility really is "private" ?
    >          >>>
    >          >>>             ~iain
    >          >>>
    >          >>>        _______________________________________________
    >          >>>        OpenStack-operators mailing list
    >          >>>        [hidden email]
    >          >>>
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >          >>>
    >          >>>
    >          >>>    _______________________________________________
    >          >>>    OpenStack-operators mailing list
    >          >>>    [hidden email]
    >          >>>
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
    >          >
    >          > _______________________________________________
    >          > OpenStack-operators mailing list
    >          > [hidden email]
    >          >
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >
    >
    >
    >      _______________________________________________
    >      OpenStack-operators mailing list
    >      [hidden email]
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >
    > ------------------------------
    >
    > Message: 14
    > Date: Fri, 19 Oct 2018 13:45:03 -0400
    > From: Jay Pipes <[hidden email]>
    > To: [hidden email]
    > Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
    >          1.1 released
    > Message-ID: <[hidden email]>
    > Content-Type: text/plain; charset=utf-8; format=flowed
    >
    > Please do not use these mailing lists to advertise
    > closed-source/proprietary software solutions.
    >
    > Thank you,
    > -jay
    >
    > On 10/19/2018 05:42 AM, Adrian Andreias wrote:
    >> Hello,
    >>
    >> We've just released Fleio version 1.1.
    >>
    >> Fleio is a billing solution and control panel for OpenStack public
    >> clouds and traditional web hosters.
    >>
    >> Fleio software automates the entire process for cloud users. New
    >> customers can use Fleio to sign up for an account, pay invoices, add
    >> credit to their account, as well as create and manage cloud resources
    >> such as virtual machines, storage and networking.
    >>
    >> Full feature list:
    >> https://fleio.com#features 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
    >>
    >> You can see an online demo:
    >> https://fleio.com/demo 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
    >>
    >> And sign-up for a free trial:
    >> https://fleio.com/signup 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
    >>
    >>
    >>
    >> Cheers!
    >>
    >> - Adrian Andreias
    >> https://fleio.com 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
    >>
    >>
    >>
    >> _______________________________________________
    >> OpenStack-operators mailing list
    >> [hidden email]
    >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >>
    >
    >
    >
    > ------------------------------
    >
    > Message: 15
    > Date: Fri, 19 Oct 2018 20:13:40 +0200
    > From: Mohammed Naser <[hidden email]>
    > To: [hidden email]
    > Cc: openstack-operators <[hidden email]>
    > Subject: Re: [Openstack-operators] Fleio - OpenStack billing - ver.
    >          1.1     released
    > Message-ID:
    >          
    > <[hidden email]>
    > Content-Type: text/plain; charset="UTF-8"
    >
    > On Fri, Oct 19, 2018 at 7:45 PM Jay Pipes <[hidden email]> wrote:
    >>
    >> Please do not use these mailing lists to advertise
    >> closed-source/proprietary software solutions.
    >
    > +1
    >
    >> Thank you,
    >> -jay
    >>
    >> On 10/19/2018 05:42 AM, Adrian Andreias wrote:
    >> > Hello,
    >> >
    >> > We've just released Fleio version 1.1.
    >> >
    >> > Fleio is a billing solution and control panel for OpenStack public
    >> > clouds and traditional web hosters.
    >> >
    >> > Fleio software automates the entire process for cloud users. New
    >> > customers can use Fleio to sign up for an account, pay invoices, add
    >> > credit to their account, as well as create and manage cloud resources
    >> > such as virtual machines, storage and networking.
    >> >
    >> > Full feature list:
    >> > https://fleio.com#features 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
    >> >
    >> > You can see an online demo:
    >> > https://fleio.com/demo 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
    >> >
    >> > And sign-up for a free trial:
    >> > https://fleio.com/signup 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
    >> >
    >> >
    >> >
    >> > Cheers!
    >> >
    >> > - Adrian Andreias
    >> > https://fleio.com 
    > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
    >> >
    >> >
    >> >
    >> > _______________________________________________
    >> > OpenStack-operators mailing list
    >> > [hidden email]
    >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >> >
    >>
    >> _______________________________________________
    >> OpenStack-operators mailing list
    >> [hidden email]
    >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    >
    > --
    > Mohammed Naser — vexxhost
    > -----------------------------------------------------
    > D. 514-316-8872
    > D. 800-910-1726 ext. 200
    > E. [hidden email]
    > W. http://vexxhost.com 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__vexxhost.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=bq9EPen7RattOa34V0HaOLcBDca21nN47DlkgOKUYMM&e=>
    >
    >
    >
    > ------------------------------
    >
    > Message: 16
    > Date: Fri, 19 Oct 2018 14:39:29 -0400
    > From: Erik McCormick <[hidden email]>
    > To: openstack-operators <[hidden email]>
    > Subject: [Openstack-operators] [Octavia] SSL errors polling amphorae
    >          and     missing tenant network interface
    > Message-ID:
    >          
    > <CAHUi5cNByYFRr4vHY9iAEhAFc=[hidden email]>
    > Content-Type: text/plain; charset="UTF-8"
    >
    > I've been wrestling with getting Octavia up and running and have
    > become stuck on two issues. I'm hoping someone has run into these
    > before. My google foo has come up empty.
    >
    > Issue 1:
    > When the Octavia controller tries to poll the amphora instance, it
    > tries repeatedly and eventually fails. The error on the controller
    > side is:
    >
    > 2018-10-19 14:17:39.181 26 ERROR
    > octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
    > retries (currently set to 300) exhausted.  The amphora is unavailable.
    > Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
    > exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
    > SSLError(SSLError("bad handshake: Error([('rsa routines',
    > 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
    > 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
    > routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
    > 'tls_process_server_certificate', 'certificate verify
    > failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
    > port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
    > (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
    > 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
    > 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
    > routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
    > 'tls_process_server_certificate', 'certificate verify
    > failed')],)",),))
    >
    > On the amphora side I see:
    > [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
    > [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
    > ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
    > failure (_ssl.c:1754)
    >
    > I've generated certificates both with the script in the Octavia git
    > repo, and with the Openstack Ansible playbook. I can see that they are
    > present in /etc/octavia/certs.
    >
    > I'm using the Kolla (Queens) containers for the control plane so I'm
    > sure I've satisfied all the python library constraints.
    >
    > Issue 2:
    > I"m not sure how it gets configured, but the tenant network interface
    > (ens6) never comes up. I can spawn other instances on that network
    > with no issue, and I can see that Neutron has the port attached to the
    > instance. However, in the instance this is all I get:
    >
    > ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
    > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    > group default qlen 1
    >      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    >      inet 127.0.0.1/8 scope host lo
    >         valid_lft forever preferred_lft forever
    >      inet6 ::1/128 scope host
    >         valid_lft forever preferred_lft forever
    > 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
    > state UP group default qlen 1000
    >      link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
    >      inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
    >         valid_lft forever preferred_lft forever
    >      inet6 fe80::f816:3eff:fe30:c460/64 scope link
    >         valid_lft forever preferred_lft forever
    > 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
    > default qlen 1000
    >      link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
    >
    > There's no evidence of the interface anywhere else including udev rules.
    >
    > Any help with either or both issues would be greatly appreciated.
    >
    > Cheers,
    > Erik
    >
    >
    >
    > ------------------------------
    >
    > Message: 17
    > Date: Sat, 20 Oct 2018 01:47:42 +0200
    > From: Gaël THEROND <[hidden email]>
    > To: Erik McCormick <[hidden email]>
    > Cc: openstack-operators <[hidden email]>
    > Subject: Re: [Openstack-operators] [Octavia] SSL errors polling
    >          amphorae and missing tenant network interface
    > Message-ID:
    >          
    > <CAG+53ua-Hcjjq=[hidden email]>
    > Content-Type: text/plain; charset="utf-8"
    >
    > Hi eric!
    >
    > Glad I’m not the only one having this issue with the ssl communication
    > between the amphora and the CP.
    >
    > Even if I don’t yet get a clear answer regarding that issue, I think your
    > second issue is not an issue as the interface is mounted on a namespace and
    > so you’ll need to list all nic even those from namespace.
    >
    > Use an ip netns ls to get the namespace.
    >
    > Hope it will help.
    >
    > Le ven. 19 oct. 2018 à 20:40, Erik McCormick <[hidden email]> a
    > écrit :
    >
    >> I've been wrestling with getting Octavia up and running and have
    >> become stuck on two issues. I'm hoping someone has run into these
    >> before. My google foo has come up empty.
    >>
    >> Issue 1:
    >> When the Octavia controller tries to poll the amphora instance, it
    >> tries repeatedly and eventually fails. The error on the controller
    >> side is:
    >>
    >> 2018-10-19 14:17:39.181 26 ERROR
    >> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection
    >> retries (currently set to 300) exhausted.  The amphora is unavailable.
    >> Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries
    >> exceeded with url: /0.5/plug/vip/10.250.20.15 (Caused by
    >> SSLError(SSLError("bad handshake: Error([('rsa routines',
    >> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
    >> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
    >> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
    >> 'tls_process_server_certificate', 'certificate verify
    >> failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',
    >> port=9443): Max retries exceeded with url: /0.5/plug/vip/10.250.20.15
    >> (Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',
    >> 'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',
    >> 'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding
    >> routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',
    >> 'tls_process_server_certificate', 'certificate verify
    >> failed')],)",),))
    >>
    >> On the amphora side I see:
    >> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.
    >> [2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from
    >> ip=::ffff:10.7.0.40: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake
    >> failure (_ssl.c:1754)
    >>
    >> I've generated certificates both with the script in the Octavia git
    >> repo, and with the Openstack Ansible playbook. I can see that they are
    >> present in /etc/octavia/certs.
    >>
    >> I'm using the Kolla (Queens) containers for the control plane so I'm
    >> sure I've satisfied all the python library constraints.
    >>
    >> Issue 2:
    >> I"m not sure how it gets configured, but the tenant network interface
    >> (ens6) never comes up. I can spawn other instances on that network
    >> with no issue, and I can see that Neutron has the port attached to the
    >> instance. However, in the instance this is all I get:
    >>
    >> ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a
    >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    >> group default qlen 1
    >>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    >>     inet 127.0.0.1/8 scope host lo
    >>        valid_lft forever preferred_lft forever
    >>     inet6 ::1/128 scope host
    >>        valid_lft forever preferred_lft forever
    >> 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast
    >> state UP group default qlen 1000
    >>     link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff
    >>     inet 10.7.0.112/16 brd 10.7.255.255 scope global ens3
    >>        valid_lft forever preferred_lft forever
    >>     inet6 fe80::f816:3eff:fe30:c460/64 scope link
    >>        valid_lft forever preferred_lft forever
    >> 3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
    >> default qlen 1000
    >>     link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff
    >>
    >> There's no evidence of the interface anywhere else including udev rules.
    >>
    >> Any help with either or both issues would be greatly appreciated.
    >>
    >> Cheers,
    >> Erik
    >>
    >> _______________________________________________
    >> OpenStack-operators mailing list
    >> [hidden email]
    >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >>
    > -------------- next part --------------
    > An HTML attachment was scrubbed...
    > URL:
    > <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181020/71c8e27a/attachment.html 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181020_71c8e27a_attachment.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=TZjVFI4W3tEBE7QxcsUIhZ92OpBCz-jlpvaQ856vmEw&e=>>
    >
    > ------------------------------
    >
    > Subject: Digest Footer
    >
    > _______________________________________________
    > OpenStack-operators mailing list
    > [hidden email]
    > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators 
    > <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
    >
    >
    > ------------------------------
    >
    > End of OpenStack-operators Digest, Vol 96, Issue 7
    > **************************************************
    >
    >
    >
    > _______________________________________________
    > OpenStack-operators mailing list
    > [hidden email]
    > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=
    >
   
    _______________________________________________
    OpenStack-operators mailing list
    [hidden email]
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
   

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Glance Image Visibility Issue? - Non admin users can see private images from other tenants

Jonathan Mills
In reply to this post by iain MacDonnell-2
Iain et al,

Appreciate your feedback.  I work with Michael D. Moore on the same cluster, and I'm looking at the is_admin_project thing you pointed out.  What I found was that is_project_admin appeared to be True for every single keystone request I found regardless of user.  There were no explicit settings in keystone.conf relating to admin_project_name or admin_project_domain_name.  In the debug logs, Keystone was setting those values to 'None'.  I went ahead and added the following into keystone.conf:

[resource]
admin_project_name = admin
admin_project_domain_name = Default

Subsequently, I think we are now seeing a different behavior with regard to 'is_admin_project' in keystone requests.  For example, here it is with the admin user of the Default domain:

[root@vm013 ~]# openstack --debug image list 2>&1|grep 'is_admin_project'
{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "122576ec3bee490aaec8ff664a9446b4", "name": "admin"}], "is_admin_project": true, "project": {"domain": {"id": "default", "name": "Default"}, "id": "ac5b283406ff429291b4b4e958adca3f", "name": "admin"},

And here it is again as the non-admin user 'jonathan' in the Default domain:

[root@vm013 ~]# . keystonerc_jonathan
[root@vm013 ~]# openstack --debug image list 2>&1|grep 'is_admin_project'
{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "edc711368e72409ba25c6342ae9c0f80", "name": "user"}], "is_admin_project": false, "project": {"domain": {"id": "d473b9495e13484ab391d6b5799ab0e2", "name": "ndc"}, "id": "b472baecebb24f2f95c7b0c97b34e5c4", "name": "ozoneaq"},


Okay, so that looks good I guess.  It is different from before, where is_admin_project was True for both cases.  However, this does not seem to have fixed the problem in any way.  So I'm thinking that the is_admin_project part might be a red herring.

non-admin user jonathan @ Default can still see all glance images, even ones marked private and owned by other tenants.  Not knowing where else to go with this, I have opened a bug against Glance:  https://bugs.launchpad.net/glance/+bug/1799588

Jonathan



On Tue, Oct 23, 2018 at 7:46 PM iain MacDonnell <[hidden email]> wrote:

It (still) seems like there's something funky about admin/non-admin in
your case.

You could try "openstack --debug token issue" (in the admin and
non-admin cases), and examine the token dict that gets output. Look for
the "roles" list and "is_admin_project".

     ~iain



On 10/23/2018 03:21 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
INTEGRA, INC.] wrote:
> We have submitted a bug for this
>
> https://bugs.launchpad.net/glance/+bug/1799588
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_glance_-2Bbug_1799588&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=Mn2Mcb1CalyYcrdw2IZaS_mFLxT867ZjLCtchHttbP0&e=>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
>
> [hidden email] <mailto:[hidden email]>
>
> **
>
> Hydrogen fusion brightens my day.
>
> *From: *"Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
> <[hidden email]>
> *Date: *Saturday, October 20, 2018 at 7:22 PM
> *To: *Logan Hicks <[hidden email]>,
> "[hidden email]"
> <[hidden email]>
> *Subject: *Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> Issue 7
>
> The images exist and are bootable. I'm going to trace through the actual
> code for glance API. Any suggestions on where the show/hide logic is
> when it filters responses? I'm new to digging through OpenStack code.
>
> ------------------------------------------------------------------------
>
> *From:*Logan Hicks [[hidden email]]
> *Sent:* Friday, October 19, 2018 8:00 PM
> *To:* [hidden email]
> *Subject:* Re: [Openstack-operators] OpenStack-operators Digest, Vol 96,
> Issue 7
>
> Re: Glance Image Visibility Issue? - Non  admin users can see
>        private images from other tenants (Chris Apsey)
>
> I noticed that the image says queued. If Im not mistaken, an image cant
> have permissions applied until after the image is created, which might
> explain the issue hes seeing.
>
> The object doesnt exist until its made by openstack.
>
> Id check to see if something is holding up images being made. Id start
> with glance.
>
> Respectfully,
>
> Logan Hicks
>
> -------- Original message --------
>
> From: [hidden email]
>
> Date: 10/19/18 7:49 PM (GMT-05:00)
>
> To: [hidden email]
>
> Subject: OpenStack-operators Digest, Vol 96, Issue 7
>
> Send OpenStack-operators mailing list submissions to
>          [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
> or, via email, send a message with subject or body 'help' to
>          [hidden email]
>
> You can reach the person managing the list at
>          [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OpenStack-operators digest..."
>
>
> Today's Topics:
>
>     1. [nova] Removing the CachingScheduler (Matt Riedemann)
>     2. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>     3. Re: Glance Image Visibility Issue? - Non  admin users can see
>        private images from other tenants (Chris Apsey)
>     4. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants (iain MacDonnell)
>     5. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>     6. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants (iain MacDonnell)
>     7. Re: Glance Image Visibility Issue? - Non  admin users can see
>        private images from other tenants (Chris Apsey)
>     8. osops-tools-monitoring Dependency problems (Tomáš Vondra)
>     9. [heat][cinder] How to create stack snapshot       including volumes
>        (Christian Zunker)
>    10. Fleio - OpenStack billing - ver. 1.1 released (Adrian Andreias)
>    11. Re: [Openstack-sigs] [all] Naming the T   release of OpenStack
>        (Tony Breeds)
>    12. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>    13. Re: Glance Image Visibility Issue? - Non admin users can see
>        private images from other tenants
>        (Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.])
>    14. Re: Fleio - OpenStack billing - ver. 1.1 released (Jay Pipes)
>    15. Re: Fleio - OpenStack billing - ver. 1.1  released (Mohammed Naser)
>    16. [Octavia] SSL errors polling amphorae and missing tenant
>        network interface (Erik McCormick)
>    17. Re: [Octavia] SSL errors polling amphorae and missing tenant
>        network interface (Gaël THEROND)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 18 Oct 2018 17:07:00 -0500
> From: Matt Riedemann <[hidden email]>
> To: "[hidden email]"
>          <[hidden email]>
> Subject: [Openstack-operators] [nova] Removing the CachingScheduler
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> It's been deprecated since Pike, and the time has come to remove it [1].
>
> mgagne has been the most vocal CachingScheduler operator I know and he
> has tested out the "nova-manage placement heal_allocations" CLI, added
> in Rocky, and said it will work for migrating his deployment from the
> CachingScheduler to the FilterScheduler + Placement.
>
> If you are using the CachingScheduler and have a problem with its
> removal, now is the time to speak up or forever hold your peace.
>
> [1] https://review.openstack.org/#/c/611723/1
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611723_1&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=CcuJbm96l8_bk_DdPB0xbW_A31hIN4eTR0nqDeQk4kM&e=>
>
> --
>
> Thanks,
>
> Matt
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 18 Oct 2018 22:11:40 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: iain MacDonnell <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> I have replicated this unexpected behavior in a Pike test environment,
> in addition to our Queens environment.
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>
>      Yes. I verified it by creating a non-admin user in a different
> tenant. I created a new image, set to private with the project defined
> as our admin tenant.
>
>      In the database I can see that the image is 'private' and the owner
> is the ID of the admin tenant.
>
>      Mike Moore, M.S.S.E.
>
>      Systems Engineer, Goddard Private Cloud
>      [hidden email]
>
>      Hydrogen fusion brightens my day.
>
>
>      On 10/18/18, 1:07 AM, "iain MacDonnell"
> <[hidden email]> wrote:
>
>
>
>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>          INTEGRA, INC.] wrote:
>          > I’m seeing unexpected behavior in our Queens environment
> related to
>          > Glance image visibility. Specifically users who, based on my
>          > understanding of the visibility and ownership fields, should
> NOT be able
>          > to see or view the image.
>          >
>          > If I create a new image with openstack image create and
> specify –project
>          > <tenant> and –private a non-admin user in a different tenant
> can see and
>          > boot that image.
>          >
>          > That seems to be the opposite of what should happen. Any ideas?
>
>          Yep, something's not right there.
>
>          Are you sure that the user that can see the image doesn't have
> the admin
>          role (for the project in its keystone token) ?
>
>          Did you verify that the image's owner is what you intended, and
> that the
>          visibility really is "private" ?
>
>               ~iain
>
>          _______________________________________________
>          OpenStack-operators mailing list
>          [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>      _______________________________________________
>      OpenStack-operators mailing list
>      [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 18 Oct 2018 18:23:35 -0400
> From: Chris Apsey <[hidden email]>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>, iain MacDonnell
>          <[hidden email]>,
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non     admin users can see private images from other tenants
> Message-ID:
>          <[hidden email]>
> Content-Type: text/plain; format=flowed; charset="UTF-8"
>
> Do you have a liberal/custom policy.json that perhaps is causing unexpected
> behavior?  Can't seem to reproduce this.
>
> On October 18, 2018 18:13:22 "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>
>> I have replicated this unexpected behavior in a Pike test environment, in
>> addition to our Queens environment.
>>
>>
>>
>> Mike Moore, M.S.S.E.
>>
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>
>> Hydrogen fusion brightens my day.
>>
>>
>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>> INC.]" <[hidden email]> wrote:
>>
>>    Yes. I verified it by creating a non-admin user in a different tenant. I
>>    created a new image, set to private with the project defined as our admin
>>    tenant.
>>
>>    In the database I can see that the image is 'private' and the owner is the
>>    ID of the admin tenant.
>>
>>    Mike Moore, M.S.S.E.
>>
>>    Systems Engineer, Goddard Private Cloud
>>    [hidden email]
>>
>>    Hydrogen fusion brightens my day.
>>
>>
>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>
>>
>>
>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>        INTEGRA, INC.] wrote:
>>> I’m seeing unexpected behavior in our Queens environment related to
>>> Glance image visibility. Specifically users who, based on my
>>> understanding of the visibility and ownership fields, should NOT be able
>>> to see or view the image.
>>>
>>> If I create a new image with openstack image create and specify –project
>>> <tenant> and –private a non-admin user in a different tenant can see and
>>> boot that image.
>>>
>>> That seems to be the opposite of what should happen. Any ideas?
>>
>>        Yep, something's not right there.
>>
>>        Are you sure that the user that can see the image doesn't have the admin
>>        role (for the project in its keystone token) ?
>>
>>        Did you verify that the image's owner is what you intended, and that the
>>        visibility really is "private" ?
>>
>>             ~iain
>>
>>        _______________________________________________
>>        OpenStack-operators mailing list
>>        [hidden email]
>>        http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>>
>>    _______________________________________________
>>    OpenStack-operators mailing list
>>    [hidden email]
>>    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 18 Oct 2018 15:25:22 -0700
> From: iain MacDonnell <[hidden email]>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>,
> "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> I suspect that your non-admin user is not really non-admin. How did you
> create it?
>
> What you have for "context_is_admin" in glance's policy.json ?
>
>       ~iain
>
>
> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>>
>>
>>
>> Mike Moore, M.S.S.E.
>>   
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>   
>> Hydrogen fusion brightens my day.
>>   
>>
>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>>
>>      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>>     
>>      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>>     
>>      Mike Moore, M.S.S.E.
>>       
>>      Systems Engineer, Goddard Private Cloud
>>      [hidden email]
>>       
>>      Hydrogen fusion brightens my day.
>>       
>>     
>>      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>     
>>         
>>         
>>          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>          INTEGRA, INC.] wrote:
>>          > I’m seeing unexpected behavior in our Queens environment related to
>>          > Glance image visibility. Specifically users who, based on my
>>          > understanding of the visibility and ownership fields, should NOT be able
>>          > to see or view the image.
>>          >
>>          > If I create a new image with openstack image create and specify –project
>>          > <tenant> and –private a non-admin user in a different tenant can see and
>>          > boot that image.
>>          >
>>          > That seems to be the opposite of what should happen. Any ideas?
>>         
>>          Yep, something's not right there.
>>         
>>          Are you sure that the user that can see the image doesn't have the admin
>>          role (for the project in its keystone token) ?
>>         
>>          Did you verify that the image's owner is what you intended, and that the
>>          visibility really is "private" ?
>>         
>>               ~iain
>>         
>>          _______________________________________________
>>          OpenStack-operators mailing list
>>          [hidden email]
>>          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>         
>>     
>>      _______________________________________________
>>      OpenStack-operators mailing list
>>      [hidden email]
>>      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>     
>>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 18 Oct 2018 22:32:42 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: iain MacDonnell <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> openstack user create --domain default --password xxxxxxxx
> --project-domain ndc --project test mike
>
>
> openstack role add --user mike --user-domain default --project test user
>
> my admin account is in the NDC domain with a different username.
>
>
>
> /etc/glance/policy.json
> {
>
> "context_is_admin":  "role:admin",
> "default": "role:admin",
>
> <snip>
>
>
> I'm not terribly familiar with the policies but I feel like that default
> line is making everyone an admin by default?
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>
>
>      I suspect that your non-admin user is not really non-admin. How did
> you
>      create it?
>
>      What you have for "context_is_admin" in glance's policy.json ?
>
>           ~iain
>
>
>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      INTEGRA, INC.] wrote:
>      > I have replicated this unexpected behavior in a Pike test
> environment, in addition to our Queens environment.
>      >
>      >
>      >
>      > Mike Moore, M.S.S.E.
>      >
>      > Systems Engineer, Goddard Private Cloud
>      > [hidden email]
>      >
>      > Hydrogen fusion brightens my day.
>      >
>      >
>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>      >
>      >      Yes. I verified it by creating a non-admin user in a
> different tenant. I created a new image, set to private with the project
> defined as our admin tenant.
>      >
>      >      In the database I can see that the image is 'private' and
> the owner is the ID of the admin tenant.
>      >
>      >      Mike Moore, M.S.S.E.
>      >
>      >      Systems Engineer, Goddard Private Cloud
>      >      [hidden email]
>      >
>      >      Hydrogen fusion brightens my day.
>      >
>      >
>      >      On 10/18/18, 1:07 AM, "iain MacDonnell"
> <[hidden email]> wrote:
>      >
>      >
>      >
>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
>      >          INTEGRA, INC.] wrote:
>      >          > I’m seeing unexpected behavior in our Queens
> environment related to
>      >          > Glance image visibility. Specifically users who, based
> on my
>      >          > understanding of the visibility and ownership fields,
> should NOT be able
>      >          > to see or view the image.
>      >          >
>      >          > If I create a new image with openstack image create
> and specify –project
>      >          > <tenant> and –private a non-admin user in a different
> tenant can see and
>      >          > boot that image.
>      >          >
>      >          > That seems to be the opposite of what should happen.
> Any ideas?
>      >
>      >          Yep, something's not right there.
>      >
>      >          Are you sure that the user that can see the image
> doesn't have the admin
>      >          role (for the project in its keystone token) ?
>      >
>      >          Did you verify that the image's owner is what you
> intended, and that the
>      >          visibility really is "private" ?
>      >
>      >               ~iain
>      >
>      >          _______________________________________________
>      >          OpenStack-operators mailing list
>      >          [hidden email]
>      >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>      >      _______________________________________________
>      >      OpenStack-operators mailing list
>      >      [hidden email]
>      >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      >
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 18 Oct 2018 15:48:27 -0700
> From: iain MacDonnell <[hidden email]>
> To: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>,
> "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> That all looks fine.
>
> I believe that the "default" policy applies in place of any that's not
> explicitly specified - i.e. "if there's no matching policy below, you
> need to have the admin role to be able to do it". I do have that line in
> my policy.json, and I cannot reproduce your problem (see below).
>
> I'm not using domains (other than "default"). I wonder if that's a factor...
>
>       ~iain
>
>
> $ openstack user create --password foo user1
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | d18c0031ec56430499a2d690cb1f125c |
> | name                | user1                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack user create --password foo user2
> +---------------------+----------------------------------+
> | Field               | Value                            |
> +---------------------+----------------------------------+
> | domain_id           | default                          |
> | enabled             | True                             |
> | id                  | be9f1061a5104abd834eabe98dff055d |
> | name                | user2                            |
> | options             | {}                               |
> | password_expires_at | None                             |
> +---------------------+----------------------------------+
> $ openstack project create project1
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | 826876d6d3724018bae6253c7f540cb3 |
> | is_domain   | False                            |
> | name        | project1                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack project create project2
> +-------------+----------------------------------+
> | Field       | Value                            |
> +-------------+----------------------------------+
> | description |                                  |
> | domain_id   | default                          |
> | enabled     | True                             |
> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
> | is_domain   | False                            |
> | name        | project2                         |
> | parent_id   | default                          |
> | tags        | []                               |
> +-------------+----------------------------------+
> $ openstack role add --user user1 --project project1 _member_
> $ openstack role add --user user2 --project project2 _member_
> $ export OS_PASSWORD=foo
> $ export OS_USERNAME=user1
> $ export OS_PROJECT_NAME=project1
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ openstack image create --private image1
> +------------------+------------------------------------------------------------------------------+
> | Field            | Value
>                            |
> +------------------+------------------------------------------------------------------------------+
> | checksum         | None
>                            |
> | container_format | bare
>                            |
> | created_at       | 2018-10-18T22:17:41Z
>                            |
> | disk_format      | raw
>                            |
> | file             |
> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>       |
> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>                            |
> | min_disk         | 0
>                            |
> | min_ram          | 0
>                            |
> | name             | image1
>                            |
> | owner            | 826876d6d3724018bae6253c7f540cb3
>                            |
> | properties       | locations='[]', os_hash_algo='None',
> os_hash_value='None', os_hidden='False' |
> | protected        | False
>                            |
> | schema           | /v2/schemas/image
>                            |
> | size             | None
>                            |
> | status           | queued
>                            |
> | tags             |
>                            |
> | updated_at       | 2018-10-18T22:17:41Z
>                            |
> | virtual_size     | None
>                            |
> | visibility       | private
>                            |
> +------------------+------------------------------------------------------------------------------+
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> +--------------------------------------+--------+--------+
> $ export OS_USERNAME=admin
> $ export OS_PROJECT_NAME=admin
> $ export OS_PASSWORD=xxx
> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
> $ export OS_USERNAME=user2
> $ export OS_PROJECT_NAME=project2
> $ export OS_PASSWORD=foo
> $ openstack image list
> +--------------------------------------+--------+--------+
> | ID                                   | Name   | Status |
> +--------------------------------------+--------+--------+
> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
> +--------------------------------------+--------+--------+
> $
>
>
> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.] wrote:
>> openstack user create --domain default --password xxxxxxxx --project-domain ndc --project test mike
>>
>>
>> openstack role add --user mike --user-domain default --project test user
>>
>> my admin account is in the NDC domain with a different username.
>>
>>
>>
>> /etc/glance/policy.json
>> {
>>
>> "context_is_admin":  "role:admin",
>> "default": "role:admin",
>>
>> <snip>
>>
>>
>> I'm not terribly familiar with the policies but I feel like that default line is making everyone an admin by default?
>>
>>
>> Mike Moore, M.S.S.E.
>>   
>> Systems Engineer, Goddard Private Cloud
>> [hidden email]
>>   
>> Hydrogen fusion brightens my day.
>>   
>>
>> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>>
>>     
>>      I suspect that your non-admin user is not really non-admin. How did you
>>      create it?
>>     
>>      What you have for "context_is_admin" in glance's policy.json ?
>>     
>>           ~iain
>>     
>>     
>>      On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>      INTEGRA, INC.] wrote:
>>      > I have replicated this unexpected behavior in a Pike test environment, in addition to our Queens environment.
>>      >
>>      >
>>      >
>>      > Mike Moore, M.S.S.E.
>>      >
>>      > Systems Engineer, Goddard Private Cloud
>>      > [hidden email]
>>      >
>>      > Hydrogen fusion brightens my day.
>>      >
>>      >
>>      > On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]> wrote:
>>      >
>>      >      Yes. I verified it by creating a non-admin user in a different tenant. I created a new image, set to private with the project defined as our admin tenant.
>>      >
>>      >      In the database I can see that the image is 'private' and the owner is the ID of the admin tenant.
>>      >
>>      >      Mike Moore, M.S.S.E.
>>      >
>>      >      Systems Engineer, Goddard Private Cloud
>>      >      [hidden email]
>>      >
>>      >      Hydrogen fusion brightens my day.
>>      >
>>      >
>>      >      On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>      >
>>      >
>>      >
>>      >          On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>      >          INTEGRA, INC.] wrote:
>>      >          > I’m seeing unexpected behavior in our Queens environment related to
>>      >          > Glance image visibility. Specifically users who, based on my
>>      >          > understanding of the visibility and ownership fields, should NOT be able
>>      >          > to see or view the image.
>>      >          >
>>      >          > If I create a new image with openstack image create and specify –project
>>      >          > <tenant> and –private a non-admin user in a different tenant can see and
>>      >          > boot that image.
>>      >          >
>>      >          > That seems to be the opposite of what should happen. Any ideas?
>>      >
>>      >          Yep, something's not right there.
>>      >
>>      >          Are you sure that the user that can see the image doesn't have the admin
>>      >          role (for the project in its keystone token) ?
>>      >
>>      >          Did you verify that the image's owner is what you intended, and that the
>>      >          visibility really is "private" ?
>>      >
>>      >               ~iain
>>      >
>>      >          _______________________________________________
>>      >          OpenStack-operators mailing list
>>      >          [hidden email]
>>      >          https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>      >
>>      >
>>      >      _______________________________________________
>>      >      OpenStack-operators mailing list
>>      >      [hidden email]
>>      >      https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>      >
>>      >
>>     
>>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 18 Oct 2018 19:23:42 -0400
> From: Chris Apsey <[hidden email]>
> To: iain MacDonnell <[hidden email]>, "Moore, Michael Dane
>          (GSFC-720.0)[BUSINESS INTEGRA, INC.]" <[hidden email]>,
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non     admin users can see private images from other tenants
> Message-ID:
>          <[hidden email]>
> Content-Type: text/plain; format=flowed; charset="UTF-8"
>
> We are using multiple keystone domains - still can't reproduce this.
>
> Do you happen to have a customized keystone policy.json?
>
> Worst case, I would launch a devstack of your targeted release.  If you
> can't reproduce the issue there, you would at least know its caused by a
> nonstandard config rather than a bug (or at least not a bug that's present
> when using a default config)
>
> On October 18, 2018 18:50:12 iain MacDonnell <[hidden email]>
> wrote:
>
>> That all looks fine.
>>
>> I believe that the "default" policy applies in place of any that's not
>> explicitly specified - i.e. "if there's no matching policy below, you
>> need to have the admin role to be able to do it". I do have that line in
>> my policy.json, and I cannot reproduce your problem (see below).
>>
>> I'm not using domains (other than "default"). I wonder if that's a factor...
>>
>>     ~iain
>>
>>
>> $ openstack user create --password foo user1
>> +---------------------+----------------------------------+
>> | Field               | Value                            |
>> +---------------------+----------------------------------+
>> | domain_id           | default                          |
>> | enabled             | True                             |
>> | id                  | d18c0031ec56430499a2d690cb1f125c |
>> | name                | user1                            |
>> | options             | {}                               |
>> | password_expires_at | None                             |
>> +---------------------+----------------------------------+
>> $ openstack user create --password foo user2
>> +---------------------+----------------------------------+
>> | Field               | Value                            |
>> +---------------------+----------------------------------+
>> | domain_id           | default                          |
>> | enabled             | True                             |
>> | id                  | be9f1061a5104abd834eabe98dff055d |
>> | name                | user2                            |
>> | options             | {}                               |
>> | password_expires_at | None                             |
>> +---------------------+----------------------------------+
>> $ openstack project create project1
>> +-------------+----------------------------------+
>> | Field       | Value                            |
>> +-------------+----------------------------------+
>> | description |                                  |
>> | domain_id   | default                          |
>> | enabled     | True                             |
>> | id          | 826876d6d3724018bae6253c7f540cb3 |
>> | is_domain   | False                            |
>> | name        | project1                         |
>> | parent_id   | default                          |
>> | tags        | []                               |
>> +-------------+----------------------------------+
>> $ openstack project create project2
>> +-------------+----------------------------------+
>> | Field       | Value                            |
>> +-------------+----------------------------------+
>> | description |                                  |
>> | domain_id   | default                          |
>> | enabled     | True                             |
>> | id          | b446b93ac6e24d538c1943acbdd13cb2 |
>> | is_domain   | False                            |
>> | name        | project2                         |
>> | parent_id   | default                          |
>> | tags        | []                               |
>> +-------------+----------------------------------+
>> $ openstack role add --user user1 --project project1 _member_
>> $ openstack role add --user user2 --project project2 _member_
>> $ export OS_PASSWORD=foo
>> $ export OS_USERNAME=user1
>> $ export OS_PROJECT_NAME=project1
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> +--------------------------------------+--------+--------+
>> $ openstack image create --private image1
>> +------------------+------------------------------------------------------------------------------+
>> | Field            | Value
>>                          |
>> +------------------+------------------------------------------------------------------------------+
>> | checksum         | None
>>                          |
>> | container_format | bare
>>                          |
>> | created_at       | 2018-10-18T22:17:41Z
>>                          |
>> | disk_format      | raw
>>                          |
>> | file             |
>> /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>>     |
>> | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>>                          |
>> | min_disk         | 0
>>                          |
>> | min_ram          | 0
>>                          |
>> | name             | image1
>>                          |
>> | owner            | 826876d6d3724018bae6253c7f540cb3
>>                          |
>> | properties       | locations='[]', os_hash_algo='None',
>> os_hash_value='None', os_hidden='False' |
>> | protected        | False
>>                          |
>> | schema           | /v2/schemas/image
>>                          |
>> | size             | None
>>                          |
>> | status           | queued
>>                          |
>> | tags             |
>>                          |
>> | updated_at       | 2018-10-18T22:17:41Z
>>                          |
>> | virtual_size     | None
>>                          |
>> | visibility       | private
>>                          |
>> +------------------+------------------------------------------------------------------------------+
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>> +--------------------------------------+--------+--------+
>> $ export OS_USERNAME=user2
>> $ export OS_PROJECT_NAME=project2
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> +--------------------------------------+--------+--------+
>> $ export OS_USERNAME=admin
>> $ export OS_PROJECT_NAME=admin
>> $ export OS_PASSWORD=xxx
>> $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>> $ export OS_USERNAME=user2
>> $ export OS_PROJECT_NAME=project2
>> $ export OS_PASSWORD=foo
>> $ openstack image list
>> +--------------------------------------+--------+--------+
>> | ID                                   | Name   | Status |
>> +--------------------------------------+--------+--------+
>> | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>> | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>> +--------------------------------------+--------+--------+
>> $
>>
>>
>> On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>> INTEGRA, INC.] wrote:
>>> openstack user create --domain default --password xxxxxxxx --project-domain
>>> ndc --project test mike
>>>
>>>
>>> openstack role add --user mike --user-domain default --project test user
>>>
>>> my admin account is in the NDC domain with a different username.
>>>
>>>
>>>
>>> /etc/glance/policy.json
>>> {
>>>
>>> "context_is_admin":  "role:admin",
>>> "default": "role:admin",
>>>
>>> <snip>
>>>
>>>
>>> I'm not terribly familiar with the policies but I feel like that default
>>> line is making everyone an admin by default?
>>>
>>>
>>> Mike Moore, M.S.S.E.
>>>
>>> Systems Engineer, Goddard Private Cloud
>>> [hidden email]
>>>
>>> Hydrogen fusion brightens my day.
>>>
>>>
>>> On 10/18/18, 6:25 PM, "iain MacDonnell" <[hidden email]> wrote:
>>>
>>>
>>> I suspect that your non-admin user is not really non-admin. How did you
>>> create it?
>>>
>>> What you have for "context_is_admin" in glance's policy.json ?
>>>
>>>  ~iain
>>>
>>>
>>> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>> INTEGRA, INC.] wrote:
>>>> I have replicated this unexpected behavior in a Pike test environment, in
>>>> addition to our Queens environment.
>>>>
>>>>
>>>>
>>>> Mike Moore, M.S.S.E.
>>>>
>>>> Systems Engineer, Goddard Private Cloud
>>>> [hidden email]
>>>>
>>>> Hydrogen fusion brightens my day.
>>>>
>>>>
>>>> On 10/18/18, 2:30 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA,
>>>> INC.]" <[hidden email]> wrote:
>>>>
>>>>    Yes. I verified it by creating a non-admin user in a different tenant. I
>>>>    created a new image, set to private with the project defined as our admin
>>>>    tenant.
>>>>
>>>>    In the database I can see that the image is 'private' and the owner is the
>>>>    ID of the admin tenant.
>>>>
>>>>    Mike Moore, M.S.S.E.
>>>>
>>>>    Systems Engineer, Goddard Private Cloud
>>>>    [hidden email]
>>>>
>>>>    Hydrogen fusion brightens my day.
>>>>
>>>>
>>>>    On 10/18/18, 1:07 AM, "iain MacDonnell" <[hidden email]> wrote:
>>>>
>>>>
>>>>
>>>>        On 10/17/2018 12:29 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>>>>        INTEGRA, INC.] wrote:
>>>>        > I’m seeing unexpected behavior in our Queens environment related to
>>>>        > Glance image visibility. Specifically users who, based on my
>>>>        > understanding of the visibility and ownership fields, should NOT be able
>>>>        > to see or view the image.
>>>>        >
>>>>        > If I create a new image with openstack image create and specify –project
>>>>        > <tenant> and –private a non-admin user in a different tenant can see and
>>>>        > boot that image.
>>>>        >
>>>>        > That seems to be the opposite of what should happen. Any ideas?
>>>>
>>>>        Yep, something's not right there.
>>>>
>>>>        Are you sure that the user that can see the image doesn't have the admin
>>>>        role (for the project in its keystone token) ?
>>>>
>>>>        Did you verify that the image's owner is what you intended, and that the
>>>>        visibility really is "private" ?
>>>>
>>>>             ~iain
>>>>
>>>>        _______________________________________________
>>>>        OpenStack-operators mailing list
>>>>        [hidden email]
>>>>        https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>>>
>>>>
>>>>    _______________________________________________
>>>>    OpenStack-operators mailing list
>>>>    [hidden email]
>>>>    https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> [hidden email]
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 19 Oct 2018 10:58:30 +0200
> From: Tomáš Vondra <[hidden email]>
> To: <[hidden email]>
> Subject: [Openstack-operators] osops-tools-monitoring Dependency
>          problems
> Message-ID: <049e01d46789$e8bf5220$ba3df660$@homeatcloud.cz>
> Content-Type: text/plain;       charset="iso-8859-2"
>
> Hi!
> I'm a long time user of monitoring-for-openstack, also known as oschecks.
> Concretely, I used a version from 2015 with OpenStack python client
> libraries from Kilo. Now I have upgraded them to Mitaka and it got broken.
> Even the latest oschecks don't work. I didn't quite expect that, given that
> there are several commits from this year e.g. by Nagasai Vinaykumar
> Kapalavai and paramite. Can one of them or some other user step up and say
> what version of OpenStack clients is oschecks working with? Ideally, write
> it down in requirements.txt so that it will be reproducible? Also, some
> documentation of what is the minimal set of parameters would also come in
> handy.
> Thanks a lot, Tomas from Homeatcloud
>
> The error messages are as absurd as:
> oschecks-check_glance_api --os_auth_url='http://10.1.101.30:5000/v2.0
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__10.1.101.30-3A5000_v2.0&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=_OahSWkou5-POtvp2P_0PQEAtRXnl_2ry82DIo_ygQ4&e=>'
> --os_username=monitoring --os_password=XXX --os_tenant_name=monitoring
>
> CRITICAL: Traceback (most recent call last):
>    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 121, in
> safe_run
>      method()
>    File "/usr/lib/python2.7/dist-packages/oschecks/glance.py", line 29, in
> _check_glance_api
>      glance = utils.Glance()
>    File "/usr/lib/python2.7/dist-packages/oschecks/utils.py", line 177, in
> __init__
>      self.glance.parser = self.glance.get_base_parser(sys.argv)
> TypeError: get_base_parser() takes exactly 1 argument (2 given)
>
> (I can see 4 parameters on the command line.)
>
>
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 19 Oct 2018 11:21:25 +0200
> From: Christian Zunker <[hidden email]>
> To: openstack-operators <[hidden email]>
> Subject: [Openstack-operators] [heat][cinder] How to create stack
>          snapshot        including volumes
> Message-ID:
>         
> <CAHS=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Hi List,
>
> I'd like to take snapshots of heat stacks including the volumes.
>>From what I found until now, this should be possible. You just have to
> configure some parts of OpenStack.
>
> I enabled cinder-backup with ceph backend. Backups from volumes are working.
> I configured heat to include the option backups_enabled = True.
>
> When I use openstack stack snapshot create, I get a snapshot but no backups
> of my volumes. I don't get any error messages in heat. Debug logging didn't
> help either.
>
> OpenStack version is Pike on Ubuntu installed with openstack-ansible.
> heat version is 9.0.3. So this should also include this bugfix:
> https://bugs.launchpad.net/heat/+bug/1687006
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_heat_-2Bbug_1687006&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=GveynPsCtRgNf5xllOIdz2Y5eNCZAvn4B9xEtzLDi1A&e=>
>
> Is anybody using this feature? What am I missing?
>
> Best regards
> Christian
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/bb7dd81b/attachment-0001.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_bb7dd81b_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=YCjjLeySrbifzs2-92NmaHNUG4DFb6Ps4CpFzjdo0ts&e=>>
>
> ------------------------------
>
> Message: 10
> Date: Fri, 19 Oct 2018 12:42:00 +0300
> From: Adrian Andreias <[hidden email]>
> To: [hidden email]
> Subject: [Openstack-operators] Fleio - OpenStack billing - ver. 1.1
>          released
> Message-ID:
>         
> <CACp-FE3gEP=nwXRtwy-H13qXrnhPa5bn0uWiukxWp=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> We've just released Fleio version 1.1.
>
> Fleio is a billing solution and control panel for OpenStack public clouds
> and traditional web hosters.
>
> Fleio software automates the entire process for cloud users. New customers
> can use Fleio to sign up for an account, pay invoices, add credit to their
> account, as well as create and manage cloud resources such as virtual
> machines, storage and networking.
>
> Full feature list:
> https://fleio.com#features
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com-23features&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=BrOjwRrcQVfBauwf8lZ439skCFkW1CmcZ4NNdTkQDGg&e=>
>
> You can see an online demo:
> https://fleio.com/demo
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_demo&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=3Zute5FDzopFoMvqplhIEh9_6wmKOczoeYx4F2Ulni0&e=>
>
> And sign-up for a free trial:
> https://fleio.com/signup
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com_signup&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=1z9sWcZjZ3HsDnbaK7jH0_WcAJ_ZNSP7fw6hORW00v0&e=>
>
>
>
> Cheers!
>
> - Adrian Andreias
> https://fleio.com
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__fleio.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=6dlGzWvUN7KbdNbPt3xeMM7tBqWDCXRb0hSyshGhYJM&e=>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/3031e47f/attachment-0001.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_3031e47f_attachment-2D0001.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=JCagcM_ZjfKNMy6hUc9mScnVifU3IZVyccED28OEhpA&e=>>
>
> ------------------------------
>
> Message: 11
> Date: Fri, 19 Oct 2018 20:54:29 +1100
> From: Tony Breeds <[hidden email]>
> To: OpenStack Development <[hidden email]>,
>          OpenStack SIGs <[hidden email]>, OpenStack
>          Operators <[hidden email]>
> Subject: Re: [Openstack-operators] [Openstack-sigs] [all] Naming the T
>          release of OpenStack
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> On Thu, Oct 18, 2018 at 05:35:39PM +1100, Tony Breeds wrote:
>> Hello all,
>>     As per [1] the nomination period for names for the T release have
>> now closed (actually 3 days ago sorry).  The nominated names and any
>> qualifying remarks can be seen at2].
>>
>> Proposed Names
>>  * Tarryall
>>  * Teakettle
>>  * Teller
>>  * Telluride
>>  * Thomas
>>  * Thornton
>>  * Tiger
>>  * Tincup
>>  * Timnath
>>  * Timber
>>  * Tiny Town
>>  * Torreys
>>  * Trail
>>  * Trinidad
>>  * Treasure
>>  * Troublesome
>>  * Trussville
>>  * Turret
>>  * Tyrone
>>
>> Proposed Names that do not meet the criteria
>>  * Train
>
> I have re-worked my openstack/governance change[1] to ask the TC to accept
> adding Train to the poll as (partially) described in [2].
>
> I present the names above to the community and Foundation marketing team
> for consideration.  The list above does contain Train, clearly if the TC
> do not approve [1] Train will not be included in the poll when created.
>
> I apologise for any offence or slight caused by my previous email in
> this thread.  It was well intentioned albeit, with hindsight, poorly
> thought through.
>
> Yours Tony.
>
> [1] https://review.openstack.org/#/c/611511/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__review.openstack.org_-23_c_611511_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=cRWATGRCwFhRInCOOTmTaFGPvMXWXznOs1-pnONNMvA&e=>
> [2]
> https://governance.openstack.org/tc/reference/release-naming.html#release-name-criteria
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__governance.openstack.org_tc_reference_release-2Dnaming.html-23release-2Dname-2Dcriteria&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=ORBvxW9YNjEKlSx6vbG0BIAOLa6sDtdIw1oWC8aGyvA&e=>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 488 bytes
> Desc: not available
> URL:
> <http://lists.openstack.org/pipermail/openstack-operators/attachments/20181019/49c95d5d/attachment-0001.sig
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_pipermail_openstack-2Doperators_attachments_20181019_49c95d5d_attachment-2D0001.sig&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=jMzO0p4dD0TpgnxO_HTziQRuWfGZJz4W1oPgADf0iw0&e=>>
>
> ------------------------------
>
> Message: 12
> Date: Fri, 19 Oct 2018 16:33:17 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: Chris Apsey <[hidden email]>, iain MacDonnell
>          <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Our NDC domain is LDAP backed. Default is not.
>
> Our keystone policy.json file is empty {}
>
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
>
>      We are using multiple keystone domains - still can't reproduce this.
>
>      Do you happen to have a customized keystone policy.json?
>
>      Worst case, I would launch a devstack of your targeted release.  If
> you
>      can't reproduce the issue there, you would at least know its caused
> by a
>      nonstandard config rather than a bug (or at least not a bug that's
> present
>      when using a default config)
>
>      On October 18, 2018 18:50:12 iain MacDonnell
> <[hidden email]>
>      wrote:
>
>      > That all looks fine.
>      >
>      > I believe that the "default" policy applies in place of any
> that's not
>      > explicitly specified - i.e. "if there's no matching policy below, you
>      > need to have the admin role to be able to do it". I do have that
> line in
>      > my policy.json, and I cannot reproduce your problem (see below).
>      >
>      > I'm not using domains (other than "default"). I wonder if that's
> a factor...
>      >
>      >     ~iain
>      >
>      >
>      > $ openstack user create --password foo user1
>      > +---------------------+----------------------------------+
>      > | Field               | Value                            |
>      > +---------------------+----------------------------------+
>      > | domain_id           | default                          |
>      > | enabled             | True                             |
>      > | id                  | d18c0031ec56430499a2d690cb1f125c |
>      > | name                | user1                            |
>      > | options             | {}                               |
>      > | password_expires_at | None                             |
>      > +---------------------+----------------------------------+
>      > $ openstack user create --password foo user2
>      > +---------------------+----------------------------------+
>      > | Field               | Value                            |
>      > +---------------------+----------------------------------+
>      > | domain_id           | default                          |
>      > | enabled             | True                             |
>      > | id                  | be9f1061a5104abd834eabe98dff055d |
>      > | name                | user2                            |
>      > | options             | {}                               |
>      > | password_expires_at | None                             |
>      > +---------------------+----------------------------------+
>      > $ openstack project create project1
>      > +-------------+----------------------------------+
>      > | Field       | Value                            |
>      > +-------------+----------------------------------+
>      > | description |                                  |
>      > | domain_id   | default                          |
>      > | enabled     | True                             |
>      > | id          | 826876d6d3724018bae6253c7f540cb3 |
>      > | is_domain   | False                            |
>      > | name        | project1                         |
>      > | parent_id   | default                          |
>      > | tags        | []                               |
>      > +-------------+----------------------------------+
>      > $ openstack project create project2
>      > +-------------+----------------------------------+
>      > | Field       | Value                            |
>      > +-------------+----------------------------------+
>      > | description |                                  |
>      > | domain_id   | default                          |
>      > | enabled     | True                             |
>      > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
>      > | is_domain   | False                            |
>      > | name        | project2                         |
>      > | parent_id   | default                          |
>      > | tags        | []                               |
>      > +-------------+----------------------------------+
>      > $ openstack role add --user user1 --project project1 _member_
>      > $ openstack role add --user user2 --project project2 _member_
>      > $ export OS_PASSWORD=foo
>      > $ export OS_USERNAME=user1
>      > $ export OS_PROJECT_NAME=project1
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > +--------------------------------------+--------+--------+
>      > $ openstack image create --private image1
>      >
> +------------------+------------------------------------------------------------------------------+
>      > | Field            | Value
>      >                          |
>      >
> +------------------+------------------------------------------------------------------------------+
>      > | checksum         | None
>      >                          |
>      > | container_format | bare
>      >                          |
>      > | created_at       | 2018-10-18T22:17:41Z
>      >                          |
>      > | disk_format      | raw
>      >                          |
>      > | file             |
>      > /v2/images/6a0c1928-b79c-4dbf-a9c9-305b599056e4/file
>      >     |
>      > | id               | 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>      >                          |
>      > | min_disk         | 0
>      >                          |
>      > | min_ram          | 0
>      >                          |
>      > | name             | image1
>      >                          |
>      > | owner            | 826876d6d3724018bae6253c7f540cb3
>      >                          |
>      > | properties       | locations='[]', os_hash_algo='None',
>      > os_hash_value='None', os_hidden='False' |
>      > | protected        | False
>      >                          |
>      > | schema           | /v2/schemas/image
>      >                          |
>      > | size             | None
>      >                          |
>      > | status           | queued
>      >                          |
>      > | tags             |
>      >                          |
>      > | updated_at       | 2018-10-18T22:17:41Z
>      >                          |
>      > | virtual_size     | None
>      >                          |
>      > | visibility       | private
>      >                          |
>      >
> +------------------+------------------------------------------------------------------------------+
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>      > +--------------------------------------+--------+--------+
>      > $ export OS_USERNAME=user2
>      > $ export OS_PROJECT_NAME=project2
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > +--------------------------------------+--------+--------+
>      > $ export OS_USERNAME=admin
>      > $ export OS_PROJECT_NAME=admin
>      > $ export OS_PASSWORD=xxx
>      > $ openstack image set --public 6a0c1928-b79c-4dbf-a9c9-305b599056e4
>      > $ export OS_USERNAME=user2
>      > $ export OS_PROJECT_NAME=project2
>      > $ export OS_PASSWORD=foo
>      > $ openstack image list
>      > +--------------------------------------+--------+--------+
>      > | ID                                   | Name   | Status |
>      > +--------------------------------------+--------+--------+
>      > | ad497523-b497-4500-8e6c-b5fb12a30cee | cirros | active |
>      > | 6a0c1928-b79c-4dbf-a9c9-305b599056e4 | image1 | queued |
>      > +--------------------------------------+--------+--------+
>      > $
>      >
>      >
>      > On 10/18/2018 03:32 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      > INTEGRA, INC.] wrote:
>      >> openstack user create --domain default --password xxxxxxxx
> --project-domain
>      >> ndc --project test mike
>      >>
>      >>
>      >> openstack role add --user mike --user-domain default --project
> test user
>      >>
>      >> my admin account is in the NDC domain with a different username.
>      >>
>      >>
>      >>
>      >> /etc/glance/policy.json
>      >> {
>      >>
>      >> "context_is_admin":  "role:admin",
>      >> "default": "role:admin",
>      >>
>      >> <snip>
>      >>
>      >>
>      >> I'm not terribly familiar with the policies but I feel like that
> default
>      >> line is making everyone an admin by default?
>      >>
>      >>
>      >> Mike Moore, M.S.S.E.
>      >>
>      >> Systems Engineer, Goddard Private Cloud
>      >> [hidden email]
>      >>
>      >> Hydrogen fusion brightens my day.
>      >>
>      >>
>      >> On 10/18/18, 6:25 PM, "iain MacDonnell"
> <[hidden email]> wrote:
>      >>
>      >>
>      >> I suspect that your non-admin user is not really non-admin. How
> did you
>      >> create it?
>      >>
>      >> What you have for "context_is_admin" in glance's policy.json ?
>      >>
>      >>  ~iain
>      >>
>      >>
>      >> On 10/18/2018 03:11 PM, Moore, Michael Dane (GSFC-720.0)[BUSINESS
>      >> INTEGRA, INC.] wrote:
>      >>> I have replicated this unexpected behavior in a Pike test
> environment, in
>      >>> addition to our Queens environment.
>      >>>
>      >>>
>      >>>
>      >>> Mike Moore, M.S.S.E.
>      >>>
>      >>> Systems Engineer, Goddard Private Cloud
>      >>> [hidden email]
>      >>>
>      >>> Hydrogen fusion brightens my day.
>      >>>
>      >>>
>      >>> On 10/18/18, 2:30 PM, "Moore, Michael Dane
> (GSFC-720.0)[BUSINESS INTEGRA,
>      >>> INC.]" <[hidden email]> wrote:
>      >>>
>      >>>    Yes. I verified it by creating a non-admin user in a
> different tenant. I
>      >>>    created a new image, set to private with the project defined
> as our admin
>      >>>    tenant.
>      >>>
>      >>>    In the database I can see that the image is 'private' and
> the owner is the
>      >>>    ID of the admin tenant.
>      >>>
>      >>>    Mike Moore, M.S.S.E.
>      >>>
>      >>>    Systems Engineer, Goddard Private Cloud
>      >>>    [hidden email]
>      >>>
>      >>>    Hydrogen fusion brightens my day.
>      >>>
>      >>>
>      >>>    On 10/18/18, 1:07 AM, "iain MacDonnell"
> <[hidden email]> wrote:
>      >>>
>      >>>
>      >>>
>      >>>        On 10/17/2018 12:29 PM, Moore, Michael Dane
> (GSFC-720.0)[BUSINESS
>      >>>        INTEGRA, INC.] wrote:
>      >>>        > I’m seeing unexpected behavior in our Queens
> environment related to
>      >>>        > Glance image visibility. Specifically users who, based
> on my
>      >>>        > understanding of the visibility and ownership fields,
> should NOT be able
>      >>>        > to see or view the image.
>      >>>        >
>      >>>        > If I create a new image with openstack image create
> and specify –project
>      >>>        > <tenant> and –private a non-admin user in a different
> tenant can see and
>      >>>        > boot that image.
>      >>>        >
>      >>>        > That seems to be the opposite of what should happen.
> Any ideas?
>      >>>
>      >>>        Yep, something's not right there.
>      >>>
>      >>>        Are you sure that the user that can see the image
> doesn't have the admin
>      >>>        role (for the project in its keystone token) ?
>      >>>
>      >>>        Did you verify that the image's owner is what you
> intended, and that the
>      >>>        visibility really is "private" ?
>      >>>
>      >>>             ~iain
>      >>>
>      >>>        _______________________________________________
>      >>>        OpenStack-operators mailing list
>      >>>        [hidden email]
>      >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >>>
>      >>>
>      >>>    _______________________________________________
>      >>>    OpenStack-operators mailing list
>      >>>    [hidden email]
>      >>>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=B-M8uELxrmQ5uIYT792YA5rpb5NLAecRQPH_ITY1R5k&s=1KSr8HB8BJJB4-nGHyuZDcQUdssno-bBdbNqswMm6oE&e=
>      >
>      > _______________________________________________
>      > OpenStack-operators mailing list
>      > [hidden email]
>      >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openstack.org_cgi-2Dbin_mailman_listinfo_openstack-2Doperators&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=RxYkIjeLZPK2frXV_wEUCq8d3wvUIvDPimUcunMwbMs&m=UMCq1q-ElsVP72_5lCFTGnKxGwn4zkNordf47XiWPYg&s=sAUSoIWeLJ2p07R9PICTtT_OkUTfjNKOngMa8nQunvM&e=>
>
>
>
>
>
>
> ------------------------------
>
> Message: 13
> Date: Fri, 19 Oct 2018 16:54:12 +0000
> From: "Moore, Michael Dane (GSFC-720.0)[BUSINESS INTEGRA, INC.]"
>          <[hidden email]>
> To: Chris Apsey <[hidden email]>, iain MacDonnell
>          <[hidden email]>,
>          "[hidden email]"
>          <[hidden email]>
> Subject: Re: [Openstack-operators] Glance Image Visibility Issue? -
>          Non admin users can see private images from other tenants
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
>
> For reference, here is our full glance policy.json
>
>
> {
>      "context_is_admin":  "role:admin",
>      "default": "role:admin",
>
>      "add_image": "",
>      "delete_image": "",
>      "get_image": "",
>      "get_images": "",
>      "modify_image": "",
>      "publicize_image": "role:admin",
>      "communitize_image": "",
>      "copy_from": "",
>
>      "download_image": "",
>      "upload_image": "",
>
>      "delete_image_location": "",
>      "get_image_location": "",
>      "set_image_location": "",
>
>      "add_member": "",
>      "delete_member": "",
>      "get_member": "",
>      "get_members": "",
>      "modify_member": "",
>
>      "manage_image_cache": "role:admin",
>
>      "get_task": "",
>      "get_tasks": "",
>      "add_task": "",
>      "modify_task": "",
>      "tasks_api_access": "role:admin",
>
>      "deactivate": "",
>      "reactivate": "",
>
>      "get_metadef_namespace": "",
>      "get_metadef_namespaces":"",
>      "modify_metadef_namespace":"",
>      "add_metadef_namespace":"",
>
>      "get_metadef_object":"",
>      "get_metadef_objects":"",
>      "modify_metadef_object":"",
>      "add_metadef_object":"",
>
>      "list_metadef_resource_types":"",
>      "get_metadef_resource_type":"",
>      "add_metadef_resource_type_association":"",
>
>      "get_metadef_property":"",
>      "get_metadef_properties":"",
>      "modify_metadef_property":"",
>      "add_metadef_property":"",
>
>      "get_metadef_tag":"",
>      "get_metadef_tags":"",
>      "modify_metadef_tag":"",
>      "add_metadef_tag":"",
>      "add_metadef_tags":""
>
> }
>
>
> Mike Moore, M.S.S.E.
>
> Systems Engineer, Goddard Private Cloud
> [hidden email]
>
> Hydrogen fusion brightens my day.
>
>
> On 10/19/18, 12:39 PM, "Moore, Michael Dane (GSFC-720.0)[BUSINESS
> INTEGRA, INC.]" <[hidden email]> wrote:
>
>      Our NDC domain is LDAP backed. Default is not.
>
>      Our keystone policy.json file is empty {}
>
>
>
>      Mike Moore, M.S.S.E.
>
>      Systems Engineer, Goddard Private Cloud
>      [hidden email]
>
>      Hydrogen fusion brightens my day.
>
>
>      On 10/18/18, 7:24 PM, "Chris Apsey" <[hidden email]> wrote:
>
>          We are using multiple keystone domains - still can't reproduce
> this.
>
>          Do you happen to have a customized keystone policy.json?
>
>          Worst case, I would launch a devstack of your targeted
> release.  If you
>          can't reproduce the issue there, you would at least know its
> caused by a
>          nonstandard config rather than a bug (or at least not a bug
> that's present
>          when using a default config)
>
>          On October 18, 2018 18:50:12 iain MacDonnell
> <[hidden email]>
>          wrote:
>
>          > That all looks fine.
>          >
>          > I believe that the "default" policy applies in place of any
> that's not
>          > explicitly specified - i.e. "if there's no matching policy
> below, you
>          > need to have the admin role to be able to do it". I do have
> that line in
>          > my policy.json, and I cannot reproduce your problem (see below).
>          >
>          > I'm not using domains (other than "default"). I wonder if
> that's a factor...
>          >
>          >     ~iain
>          >
>          >
>          > $ openstack user create --password foo user1
>          > +---------------------+----------------------------------+
>          > | Field               | Value                            |
>          > +---------------------+----------------------------------+
>          > | domain_id           | default                          |
>          > | enabled             | True                             |
>          > | id                  | d18c0031ec56430499a2d690cb1f125c |
>          > | name                | user1                            |
>          > | options             | {}                               |
>          > | password_expires_at | None                             |
>          > +---------------------+----------------------------------+
>          > $ openstack user create --password foo user2
>          > +---------------------+----------------------------------+
>          > | Field               | Value                            |
>          > +---------------------+----------------------------------+
>          > | domain_id           | default                          |
>          > | enabled             | True                             |
>          > | id                  | be9f1061a5104abd834eabe98dff055d |
>          > | name                | user2                            |
>          > | options             | {}                               |
>          > | password_expires_at | None                             |
>          > +---------------------+----------------------------------+
>          > $ openstack project create project1
>          > +-------------+----------------------------------+
>          > | Field       | Value                            |
>          > +-------------+----------------------------------+
>          > | description |                                  |
>          > | domain_id   | default                          |
>          > | enabled     | True                             |
>          > | id          | 826876d6d3724018bae6253c7f540cb3 |
>          > | is_domain   | False                            |
>          > | name        | project1                         |
>          > | parent_id   | default                          |
>          > | tags        | []                               |
>          > +-------------+----------------------------------+
>          > $ openstack project create project2
>          > +-------------+----------------------------------+
>          > | Field       | Value                            |
>          > +-------------+----------------------------------+
>          > | description |                                  |
>          > | domain_id   | default                          |
>          > | enabled     | True                             |
>          > | id          | b446b93ac6e24d538c1943acbdd13cb2 |
>          > | is_domain   | False                            |
>          > | name        | project2                         |
>          > | parent_id   | default                          |
>          > | tags        | []                               |
>          > +-------------+----------------------------------+
>          > $ openstack role add --user user1 --project project1 _member_
>          > $ openstack role add --user user2 --project project2 _member_
>          > $ export OS_PASSWORD=foo
>          > $ export OS_USERNAME=user1
>          > $ export OS_PROJECT_NAME=project1
>          > $ open