Ask Your Question
1

Glance public image create 403 Forbidden: You are not authorized to complete this action. (HTTP 403) error in openstack mitaka

asked 2016-09-02 04:46:41 -0600

murugesan gravatar image

updated 2016-09-02 04:53:13 -0600

I'm using CentOS Linux release 7.2.1511 (Core)

For install Openstack mitaka

I have setup mariadb cluster for two node replication

I could not able create public images in glance module, got 403 not authorized error. How to solve this issue.

I have sourced my admin_rc file as

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=*****
export OS_AUTH_URL=http://controller2:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

when i create glance public image got following authorization error

[root@controller2 ~]# openstack image create "cirros" --file cirros-0.3.2-x86_64-disk.img --disk-format qcow2 --container-format bare --public
403 Forbidden: You are not authorized to complete this action. (HTTP 403)

but i can able create non public images,list images and list other services,endpoints

[root@controller2 ~]# openstack image create "cirros_test" --file cirros-0.3.2-x86_64-disk.img --disk-format qcow2 --container-format bare
+------------------+------------------------------------------------------+
| Field            | Value                                                |
+------------------+------------------------------------------------------+
| checksum         | 64d7c1cd2b6f60c92c14662941cb7913                     |
| container_format | bare                                                 |
| created_at       | 2016-09-02T07:13:50Z                                 |
| disk_format      | qcow2                                                |
| file             | /v2/images/48ab03c8-e3d6-47a6-9aa5-baf5009ee7b1/file |
| id               | 48ab03c8-e3d6-47a6-9aa5-baf5009ee7b1                 |
| min_disk         | 0                                                    |
| min_ram          | 0                                                    |
| name             | cirros_test                                          |
| owner            | None                                                 |
| protected        | False                                                |
| schema           | /v2/schemas/image                                    |
| size             | 13167616                                             |
| status           | active                                               |
| tags             |                                                      |
| updated_at       | 2016-09-02T07:13:51Z                                 |
| virtual_size     | None                                                 |
| visibility       | private                                              |
+------------------+------------------------------------------------------+

[root@controller2 ~]# glance image-list
+--------------------------------------+-------------+
| ID                                   | Name        |
+--------------------------------------+-------------+
| 099c64e7-4d6c-4d90-a318-e3c4482fa6ac | cirros      |
| 48ab03c8-e3d6-47a6-9aa5-baf5009ee7b1 | cirros_test |
+--------------------------------------+-------------+

[root@controller2 ~]# openstack image list
+--------------------------------------+-------------+--------+
| ID                                   | Name        | Status |
+--------------------------------------+-------------+--------+
| 48ab03c8-e3d6-47a6-9aa5-baf5009ee7b1 | cirros_test | active |
| 099c64e7-4d6c-4d90-a318-e3c4482fa6ac | cirros      | active |
+--------------------------------------+-------------+--------+

image back-end store has both public and private images, even that 403 error occurred image also has

[root@controller2 ~]# du -sh /var/lib/glance/images/*
13M     /var/lib/glance/images/099c64e7-4d6c-4d90-a318-e3c4482fa6ac
13M     /var/lib/glance/images/48ab03c8-e3d6-47a6-9aa5-baf5009ee7b1
13M     /var/lib/glance/images/b6259842-13a3-43aa-9027-a84bad66d92c
13M     /var/lib/glance/images/b6df34cb-1684-45aa-aafa-8a374c28106b

when i create public image following logs generated

/var/log/glance/api.log

2016-09-02 12:51:55.915 2826 INFO eventlet.wsgi.server [req-0a0955d8-4234-4239-a722-305bb15aa74c - - - - -] 10.10.100.240 - - [02/Sep/2016 12:51:55] "GET /v2/schemas/image HTTP/1.1" 200 4344 0.002151
2016-09-02 12:51:55.991 2826 INFO eventlet.wsgi.server [req-25c392da-d242-43d5-8710-3b8ad0e08a33 - - - - -] 10.10.100.240 - - [02/Sep/2016 12:51:55] "POST /v2/images HTTP/1.1" 403 383 0.015784

there no log updated in /var/log/glance/registry.log while create public glance image

/var/log/keystone/keystone.log

2016-09-02 12:57:00.826 3106 INFO keystone.common.wsgi [req-4e56c5af-e44e-4836-aa75-e54b50b30a58 - - - - -] GET http://controller2:35357/v3/
2016-09-02 12:57:00.839 3104 INFO keystone.common.wsgi [req-3bba1d1d-48c8-423e-8ffe-8cf296462737 - - - - -] POST http://controller2:35357/v3/auth/tokens
2016-09-02 12:57:00.997 3104 INFO keystone.token.providers.fernet.utils [req-3bba1d1d-48c8-423e-8ffe-8cf296462737 - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/
2016-09-02 12:57:01.048 3107 INFO keystone.common.wsgi [req-0ccccc65-7ddb-467b-b99b-73285c3e1ce1 - - - - -] POST http://controller2:35357/v3/auth/tokens
2016-09-02 12:57:01.204 3107 INFO keystone.token.providers.fernet.utils [req-0ccccc65-7ddb-467b-b99b-73285c3e1ce1 - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/

i also tried to change the /etc/glance/policy.json

"publicize_image": "role:admin", to "publicize_image": "",

facing same issue

Following is my public image creation with debug

[root@controller2 ~]# openstack --debug image create "cirros" --file cirros-0.3.2-x86_64-disk.img --disk-format qcow2 --container-format bare --public ...
(more)
edit retag flag offensive close merge delete

Comments

I am having the same problem at the moment: glance image-create --visibility public --disk-format qcow2 --container-format bare --progress --file ./CentOS-7-x86_64-GenericCloud-1503.qcow2 --name centos7-image 403 Forbidden You are not authorized to complete publicize_image

twotwo gravatar imagetwotwo ( 2016-12-06 13:25:33 -0600 )edit

4 answers

Sort by ยป oldest newest most voted
0

answered 2016-09-02 05:06:24 -0600

dbaxps gravatar image

Try openstack image set imageName --is-public True
If fails login as admin to dashboard and update image features via GUI.

edit flag offensive delete link more

Comments

--is-public argument not working

openstack image set: error: unrecognized arguments: --is-public True

i used openstack image set cirros --public

same issue 403 Forbidden: You are not authorized to complete this action. (HTTP 403)

My glance version is 2.0.0

murugesan gravatar imagemurugesan ( 2016-09-02 05:15:12 -0600 )edit

Have Glance been installed via RDO repos ?
Would be more precise - post all RDO repos been used for deployment

dbaxps gravatar imagedbaxps ( 2016-09-02 05:20:40 -0600 )edit

I have created centos7 local repository for quick installation it may be a problem, i'll check

murugesan gravatar imagemurugesan ( 2016-09-02 05:53:21 -0600 )edit

hi dbaxps,

Thanks for your update, but I'm using centos7. I have downloaded and created a local repository from ftp://ftp.iitm.ac.in/centos/7/

Is it required RDO repository for centos7?

murugesan gravatar imagemurugesan ( 2016-09-02 23:50:42 -0600 )edit

I would suggest you better follow
https://www.rdoproject.org/install/qu...
on all nodes. Just don't invoke packstack if you are doing manual set up.

dbaxps gravatar imagedbaxps ( 2016-09-03 01:06:59 -0600 )edit
0

answered 2018-09-01 07:41:13 -0600

Aref gravatar image

updated 2018-09-01 07:41:41 -0600

make sure in file: /etc/glance/glance-registry.conf you have set:

[paste_deploy] flavor = keystone

edit flag offensive delete link more
0

answered 2018-05-09 09:49:41 -0600

This is still an issue. It is an even worse issue in the UI, because you just get a generic "Error" message!

Reading https://www.sebastien-han.fr/blog/2014/10/30/openstack-glance-allow-user-to-create-public-images/ (https://www.sebastien-han.fr/blog/201...) makes it seem like it was purposeful, but it makes no sense why there is an option you can never use.

edit flag offensive delete link more
0

answered 2016-10-03 13:34:50 -0600

I'm pretty sure there is some sort of inconsistent behavior there. I couldn't have it work. I would either get 403 Forbidden: You are not authorized to complete this action. (HTTP 403) or The request you have made requires authentication. (HTTP 401) (Request-ID: req-<some-request-id>), when trying to source some made up credentials. In some nth attempt, it suddenly works. This might signal problems.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2016-09-02 04:46:41 -0600

Seen: 3,846 times

Last updated: Sep 01 '18