yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1711468] [NEW] interoperable image import requires exposing the tasks api

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Rosmaita <rosmaita.fossdev@xxxxxxxxx>
Date: Thu, 17 Aug 2017 22:11:46 -0000
Reply-to: Bug 1711468 <1711468@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The Tasks API was made admin-only in Mitaka by changing the get_task,
get_tasks, add_task, and modify_task policies to require "role:admin" by
default.  The interoperable image import process introduced in Pike
requires an ordinary user to have (at least) the add_task permission
(although the user does not create the task directly, and in fact,
should have no knowledge that a task is being used behind the scenes to
do the image import).

We need a way to allow non-admin credentials to manipulate tasks, but
not allow access to tasks directly via the Tasks API.

It would be nice to get this resolved in Pike.  Otherwise operators may
not want to try out the interoperable image import.

** Affects: glance
     Importance: Critical
     Assignee: Brian Rosmaita (brian-rosmaita)
         Status: Triaged

** Changed in: glance
     Assignee: (unassigned) => Brian Rosmaita (brian-rosmaita)

** Changed in: glance
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1711468

Title:
  interoperable image import requires exposing the tasks api

Status in Glance:
  Triaged

Bug description:
  The Tasks API was made admin-only in Mitaka by changing the get_task,
  get_tasks, add_task, and modify_task policies to require "role:admin"
  by default.  The interoperable image import process introduced in Pike
  requires an ordinary user to have (at least) the add_task permission
  (although the user does not create the task directly, and in fact,
  should have no knowledge that a task is being used behind the scenes
  to do the image import).

  We need a way to allow non-admin credentials to manipulate tasks, but
  not allow access to tasks directly via the Tasks API.

  It would be nice to get this resolved in Pike.  Otherwise operators
  may not want to try out the interoperable image import.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1711468/+subscriptions

Follow ups

[Bug 1711468] Re: interoperable image import requires exposing the tasks api
From: OpenStack Infra, 2017-08-18