yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #69823
[Bug 1732141] Re: 'upload-image' policy blocks the image-import API
Reviewed: https://review.openstack.org/524060
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=89feef0e2f2d327e8efd4cc768aaced72c54838c
Submitter: Zuul
Branch: master
commit 89feef0e2f2d327e8efd4cc768aaced72c54838c
Author: bhagyashris <bhagyashri.shewale@xxxxxxxxxxx>
Date: Tue Nov 21 12:55:50 2017 +0530
Move 'upload_image' policy check to the controller
There are two methods to create images:-
Method A)
POST /v2/images
PUT /v2/images/{image_id}/file
Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
The traditional image upload API (PUT /v2/images/{image_id}/file)
uses 'upload_image' policy which is same for
Method B (POST /v2/images/{image_id}/import)
image-create-via-import(new API for image create) API.
The long term goal is to make users use method B to create images
and cross services to use Method A until changes are made to
use Method B.
To restrict normal users from using Method A to create images both
these APIs (/v2/images/{image_id}/file and /v2/images/{image_id}/import)
should have a distinct policy.
This patch move the 'upload_image' policy check from imge.set_data()
to the controller and not introduce any new policies at this point
for import API call (POST /v2/images/{image_id}/import)
on the theory that an operator can stop import by restricting the
'image_create' policy. And also this fix will not change the semantics
of the 'upload_image' policy from the operator perspective.
Closes-Bug: #1732141
Change-Id: Icc62add5f8d48549aac94c8058d66d6b77b56d41
** Changed in: glance
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1732141
Title:
'upload-image' policy blocks the image-import API
Status in Glance:
Fix Released
Bug description:
There are two methods to create images:-
Method A)
POST /v2/images
PUT /v2/images/{image_id}/file
Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
Glance community has long term plan to restrict Method A for normal
user to create the image.
The traditional image upload API (PUT /v2/images/{image_id}/file) uses
'upload-image' policy which is same for Method B (POST
/v2/images/{image_id}/import) image-create-via-import(new API for
image create) API.
If glance community restricts traditional Method A (image upload) for
normal user then it will also impact Method B (POST
/v2/images/{image_id}/import) image-import call thus normal user won't
be able to import image using image-create-via-import(new API for
image create).
The 'upload-image' and 'import image' shares same policy.
Steps to reproduce:
Case 1: Restrict the normal user to upload-image
1. Modify the /etc/glance/policy.json
"upload_image": "role:demo",
2. Create the image
$ glance image-create --name test --property test=tyest --file
spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:02:41Z |
| disk_format | qcow2 |
| id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| test | tyest |
| updated_at | 2017-11-13T07:02:41Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
b219-18a2743b82b6: You are not authorized to complete upload_image action.
(HTTP 403)
Case 2: Now normal user wants to create the image using image-create-
via-import api but it will not allow to import the image as the policy
is set in the first case.
$ glance image-create-via-import --name test --file
spec_and_blueprint_content.txt --container-format bare --disk-format raw --
property os_distro=xyz
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:23:25Z |
| disk_format | raw |
| id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| os_distro | xyz |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-11-13T07:23:25Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
403)
So to overcome this we will need to add the separate policy for import
image in policy.json
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1732141/+subscriptions
References
