Reviewed: https://review.openstack.org/524060 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=89feef0e2f2d327e8efd4cc768aaced72c54838c Submitter: Zuul Branch: master
commit 89feef0e2f2d327e8efd4cc768aaced72c54838c Author: bhagyashris <bhagyashri.shew...@nttdata.com> Date: Tue Nov 21 12:55:50 2017 +0530 Move 'upload_image' policy check to the controller There are two methods to create images:- Method A) POST /v2/images PUT /v2/images/{image_id}/file Method B) POST /v2/images PUT /v2/images/{image_id}/stage POST /v2/images/{image_id}/import The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload_image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API. The long term goal is to make users use method B to create images and cross services to use Method A until changes are made to use Method B. To restrict normal users from using Method A to create images both these APIs (/v2/images/{image_id}/file and /v2/images/{image_id}/import) should have a distinct policy. This patch move the 'upload_image' policy check from imge.set_data() to the controller and not introduce any new policies at this point for import API call (POST /v2/images/{image_id}/import) on the theory that an operator can stop import by restricting the 'image_create' policy. And also this fix will not change the semantics of the 'upload_image' policy from the operator perspective. Closes-Bug: #1732141 Change-Id: Icc62add5f8d48549aac94c8058d66d6b77b56d41 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1732141 Title: 'upload-image' policy blocks the image-import API Status in Glance: Fix Released Bug description: There are two methods to create images:- Method A) POST /v2/images PUT /v2/images/{image_id}/file Method B) POST /v2/images PUT /v2/images/{image_id}/stage POST /v2/images/{image_id}/import Glance community has long term plan to restrict Method A for normal user to create the image. The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload-image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API. If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create). The 'upload-image' and 'import image' shares same policy. Steps to reproduce: Case 1: Restrict the normal user to upload-image 1. Modify the /etc/glance/policy.json "upload_image": "role:demo", 2. Create the image $ glance image-create --name test --property test=tyest --file spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2 +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2017-11-13T07:02:41Z | | disk_format | qcow2 | | id | d719c5fb-4907-4b8d-b219-18a2743b82b6 | | min_disk | 0 | | min_ram | 0 | | name | test | | owner | d2b9f7372d2e481ca13a16bd526f9f14 | | protected | False | | size | None | | status | queued | | tags | [] | | test | tyest | | updated_at | 2017-11-13T07:02:41Z | | virtual_size | None | | visibility | shared | +------------------+--------------------------------------+ 403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d- b219-18a2743b82b6: You are not authorized to complete upload_image action. (HTTP 403) Case 2: Now normal user wants to create the image using image-create- via-import api but it will not allow to import the image as the policy is set in the first case. $ glance image-create-via-import --name test --file spec_and_blueprint_content.txt --container-format bare --disk-format raw -- property os_distro=xyz +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2017-11-13T07:23:25Z | | disk_format | raw | | id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 | | min_disk | 0 | | min_ram | 0 | | name | test | | os_distro | xyz | | owner | d2b9f7372d2e481ca13a16bd526f9f14 | | protected | False | | size | None | | status | queued | | tags | [] | | updated_at | 2017-11-13T07:23:25Z | | virtual_size | None | | visibility | shared | +------------------+--------------------------------------+ 403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb- b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP 403) So to overcome this we will need to add the separate policy for import image in policy.json To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1732141/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp