Reviewed: https://review.openstack.org/494732 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=b90ad2524fd1c80e33930191b415c67a91904fd9 Submitter: Jenkins Branch: master
commit b90ad2524fd1c80e33930191b415c67a91904fd9 Author: Brian Rosmaita <[email protected]> Date: Thu Aug 17 18:21:25 2017 -0400 Add 'tasks_api_access' policy The Tasks API was made admin-only in Mitaka to prevent it from being exposed directly to end users. The interoperable image import process introduced in Pike uses the tasks engine to perform the import. This patch introduces a new policy, 'tasks_api_access', that determines whether a user can make Tasks API calls. The currently existing task-related policies are retained so that operators can have fine-grained control over tasks. With this new policy, operators can restrict Tasks API access to admins, while at the same time, admin-level credentials are not required for glance to perform task-related functions on behalf of users. Change-Id: I3f66f7efa7c377d999a88457fc6492701a894f34 Closes-bug: #1711468 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1711468 Title: interoperable image import requires exposing the tasks api Status in Glance: Fix Released Bug description: The Tasks API was made admin-only in Mitaka by changing the get_task, get_tasks, add_task, and modify_task policies to require "role:admin" by default. The interoperable image import process introduced in Pike requires an ordinary user to have (at least) the add_task permission (although the user does not create the task directly, and in fact, should have no knowledge that a task is being used behind the scenes to do the image import). We need a way to allow non-admin credentials to manipulate tasks, but not allow access to tasks directly via the Tasks API. It would be nice to get this resolved in Pike. Otherwise operators may not want to try out the interoperable image import. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1711468/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
