openstack team mailing list archive

Thread
Date

Re: Listing non-public images in Glance

To: Jay Pipes <jaypipes@xxxxxxxxx>
From: stuart.mclaren@xxxxxx
Date: Fri, 20 Jan 2012 14:43:15 +0000 (GMT)
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAAE6tVYJZJb=HhAuswNgGcwV0HTzD2+931ccPOYESuBy+P0+fQ@mail.gmail.com>
User-agent: Alpine 2.00 (DEB 1167 2008-08-23)

 b) If authentication is not in effect, should we chage to listing
   everything, public and not? I can file a bug and see it implemented.


In case its useful, I think that currently (without authentication)
a command such as:

curl http://localhost:9292/v1/images?is_public=None

will list both public and private images.

-Stuart


On Thu, 19 Jan 2012, Jay Pipes wrote:

Hi Pete! Answers inline :)

On Thu, Jan 19, 2012 at 2:26 PM, Pete Zaitcev <zaitcev@xxxxxxxxxx> wrote:

Hello:

This clearly seems like I am missing something obvious, but is it
possible to list non-public images in Glance?


No. But if you no the ID, you can issue a call to HEAD|GET
/images/<ID> and it will show you the image information. This was done
this way for legacy reasons IIRC. Nowadays, with authentication
enabled, you have much better, finer-grained, and logical access
permissions to images (see below)

It came up because I have a Glance setup without Keystone or other
authentication for now, like this:

 [pipeline:glance-api]
 pipeline = versionnegotiation context apiv1app

Images that have "X-Image-Meta-Is_public: False" do not get listed
with "glance index". I am not saying that it is wrong per se, all the
documentation implies that a GET to /v1/images only produces a listing
of public images, and it looks like all functional and unit tests
in ./glance/tests set the public flag as necessary.


Correct.

But I'm wondering:

 a) If authentication is in effect, can users list their own images?


Yes. If authentication is enabled and a user calls GET /images, they
see a list of non-deleted, non-killed-status *public* images
(is_public=True) AND any images where the owner_id is the user's
Tenant or User ID AND any images that have manually been shared with
the Tenant or User ID via the image-memberships functionality.

Note that I say "Tenant or User" above. There is a configuration value
(owner_is_tenant, default is True) that controls whether the
authentication layer considers the X-Auth-Tenant or the X-Auth-User
value as being the owner...

   It is easy to forget what you have. The Image Warehouse service
   in Aeolus permits to list images regardless, as long as bucket
   is accessible.

 b) If authentication is not in effect, should we chage to listing
   everything, public and not? I can file a bug and see it implemented.


Interesting proposal, and one we debated over when Kevin Mitchell
originally added support for authentication (and thus image
ownership). We decided to keep it the way it is because we did not
want to change existing behaviour of servers that did not have
authentication enabled...

Cheers!
-jay

-- Pete

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

References

Listing non-public images in Glance
From: Pete Zaitcev, 2012-01-19
Re: Listing non-public images in Glance
From: Jay Pipes, 2012-01-19