diff --git a/glance/location.py b/glance/location.py
index 3c6df1296d..970fb156fc 100644
--- a/glance/location.py
+++ b/glance/location.py
@@ -86,8 +86,17 @@ class ImageRepoProxy(glance.domain.proxy.Repo):
     def get(self, image_id):
         image = super(ImageRepoProxy, self).get(image_id)
         if CONF.enabled_backends:
-            store_utils.update_store_in_locations(
-                self.context, image, self.image_repo)
+            try:
+                store_utils.update_store_in_locations(
+                    self.context, image, self.image_repo)
+            except exception.Forbidden:
+                # NOTE(danms): We may not be able to complete a store
+                # update if we do not own the image. That should not
+                # break us, so avoid raising Forbidden in that
+                # case. Note that modifications to @image here will
+                # still be returned to the user, just not saved in the
+                # DB. That is probably what we want anyway.
+                pass
         return image
 
 
diff --git a/glance/tests/functional/v2/test_legacy_update_cinder_store.py b/glance/tests/functional/v2/test_legacy_update_cinder_store.py
index 4440040eac..64c544fed9 100644
--- a/glance/tests/functional/v2/test_legacy_update_cinder_store.py
+++ b/glance/tests/functional/v2/test_legacy_update_cinder_store.py
@@ -257,14 +257,6 @@ class TestLegacyUpdateCinderStore(functional.SynchronousAPIBase):
         resp = self.api_get('/v2/images/%s' % image_id,
                             headers={'X-Roles': 'reader'})
 
-        # FIXME(danms): This is broken behavior: the first user to GET
-        # an image after upgrade may not be an admin or the owner. As
-        # such, we should not return an error to that user for a valid image.
-        self.assertEqual(500, resp.status_code)
-        self.skipTest('Bug 1932337 is not fixed')
-
-        # FIXME(danms): Continue the test below when bug 1932337 is
-        # fixed.
         image = resp.json
         # verify the image is updated to new format
         self.assertEqual('cinder://store1/%s' % self.vol_id,
diff --git a/releasenotes/notes/cinder-store-migration-non-owner-80a2a8114d8602aa.yaml b/releasenotes/notes/cinder-store-migration-non-owner-80a2a8114d8602aa.yaml
new file mode 100644
index 0000000000..3290075c0d
--- /dev/null
+++ b/releasenotes/notes/cinder-store-migration-non-owner-80a2a8114d8602aa.yaml
@@ -0,0 +1,13 @@
+---
+fixes:
+  - |
+    The cinder store lazy migration code assumed that the user
+    performing the GET was authorized to modify the image in order to
+    perform the update. This will not be the case for shared or public
+    images where the user is not the owner or an admin, and would
+    result in a 404 to the user if a migration is needed but not
+    completed. Now, we delay the migration if we are not sufficiently
+    authorized, allowing the first GET by the owner (or an admin) to
+    perform it. See Bug 1932337_ for more information.
+
+    .. _1932337: https://bugs.launchpad.net/glance/+bug/1932337