how does the membership work in glance?

Asked by Andrea Siringo on 2011-12-05

Hi all,

I'm trying to use glance membership with keystone configured.
I don't know if I understood correctly how that should work.

Suppose having 2 tenants: tenA and tenB. tenA is owner of a private image and grants the membership to tenB.
tenB is listed as member of the image using "glance member-images tenB".
In this scenario
- should tenB see the private image through glance index/details/show?
- should tenB be able to launch a new instance using that image?

I think so but using glance CLI I can't do these operations, because tenB is not able to see tenA's private image.
Can anyone help me?

Question information

Language:
English Edit question
Status:
Solved
For:
Glance Edit question
Assignee:
No assignee Edit question
Solved by:
Kevin L. Mitchell
Solved:
2011-12-06
Last query:
2011-12-06
Last reply:
2011-12-05
Best Kevin L. Mitchell (klmitch) said : #1

On Mon, 2011-12-05 at 18:05 +0000, Andrea Siringo wrote:
> Suppose having 2 tenants: tenA and tenB. tenA is owner of a private
> image and grants the membership to tenB.
> tenB is listed as member of the image using "glance member-images tenB".
> In this scenario
> - should tenB see the private image through glance index/details/show?

Yes, tenB should be able to see the private image.

> - should tenB be able to launch a new instance using that image?

Yes, tenB should be able to launch a new instance using that image.

> I think so but using glance CLI I can't do these operations, because
> tenB is not able to see tenA's private image.
> Can anyone help me?

How are you specifying the tenants? Are you using tenant name or tenant
ID? (Do a glance show as tenA on the image and see what the "ownership"
is shown as.) There are tests that attempt to verify that this
functionality doesn't break, but there is the possibility that something
has bitrotted...
--
Kevin L. Mitchell <email address hidden>

Thanks Kevin L. Mitchell, that solved my question.

By the way I had this issue because I followed the identity service guide on docs.openstack.org and there, in the member-add example, the tenant is indicated like a literal string and nowhere is specified that it must be an ID.