Glance

Bug #1732141
Comment #0

Comment 0 for bug 1732141

Revision history for this message

Bhagyashri Shewale (bhagyashri-shewale) wrote on 2017-11-14:

#0

There are two methods to create images:-

Method A)
POST /v2/images
PUT /v2/images/{image_id}/file

Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import

Glance community has long term plan to restrict Method A for normal user to create the image.

The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload-image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API.

If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create).

The 'upload-image' and 'import image' shares same policy.

Steps to reproduce:

Case 1: Restrict the normal user to upload-image

1. Modify the /etc/glance/policy.json

"upload_image": "role:demo",

2. Create the image

    $ glance image-create --name test --property test=tyest --file spec_and_blueprint_content.txt --
      container-format bare --disk-format qcow2
  +------------------+--------------------------------------+
  | Property | Value |
  +------------------+--------------------------------------+
  | checksum | None |
  | container_format | bare |
  | created_at | 2017-11-13T07:02:41Z |
  | disk_format | qcow2 |
  | id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
  | min_disk | 0 |
  | min_ram | 0 |
  | name | test |
  | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
  | protected | False |
  | size | None |
  | status | queued |
  | tags | [] |
  | test | tyest |
  | updated_at | 2017-11-13T07:02:41Z |
  | virtual_size | None |
  | visibility | shared |
  +------------------+--------------------------------------+
  403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-b219-
                18a2743b82b6: You are not authorized to complete upload_image action. (HTTP 403)

Case 2: Now normal user wants to create the image using image-create-via-import api but it will not allow to import the image as the policy is set in the first case.

    $ glance image-create-via-import --name test --file spec_and_blueprint_content.txt --container-format
      bare --disk-format raw --property os_distro=xyz
  +------------------+--------------------------------------+
  | Property | Value |
  +------------------+--------------------------------------+
  | checksum | None |
  | container_format | bare |
  | created_at | 2017-11-13T07:23:25Z |
  | disk_format | raw |
  | id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
  | min_disk | 0 |
  | min_ram | 0 |
  | name | test |
  | os_distro | xyz |
  | owner | d2b9f7372d2e481ca13a16bd526f9f14 |
  | protected | False |
  | size | None |
  | status | queued |
  | tags | [] |
  | updated_at | 2017-11-13T07:23:25Z |
  | virtual_size | None |
  | visibility | shared |
  +------------------+--------------------------------------+
  403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-b75c
                2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP 403)

So to overcome this we will need to add the separate policy for import image in policy.json

There are two methods to create images:-

Method A) 
POST /v2/images
PUT /v2/images/{image_id}/file

Method B) 
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import

Glance community has long term plan to restrict Method A for normal user to create the image.

The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload-image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API.

If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create). 
 
The 'upload-image' and 'import image' shares same policy.

Steps to reproduce:

Case 1: Restrict the normal user to upload-image

1. Modify the /etc/glance/policy.json

"upload_image": "role:demo",

2. Create the image

$ glance image-create --name test --property test=tyest --file spec_and_blueprint_content.txt --
      container-format bare --disk-format qcow2
		+------------------+--------------------------------------+
		| Property         | Value                                |
		+------------------+--------------------------------------+
		| checksum         | None                                 |
		| container_format | bare                                 |
		| created_at       | 2017-11-13T07:02:41Z                 |
		| disk_format      | qcow2                                |
		| id               | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
		| min_disk         | 0                                    |
		| min_ram          | 0                                    |
		| name             | test                                 |
		| owner            | d2b9f7372d2e481ca13a16bd526f9f14     |
		| protected        | False                                |
		| size             | None                                 |
		| status           | queued                               |
		| tags             | []                                   |
		| test             | tyest                                |
		| updated_at       | 2017-11-13T07:02:41Z                 |
		| virtual_size     | None                                 |
		| visibility       | shared                               |
		+------------------+--------------------------------------+
		403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-b219-
                18a2743b82b6: You are not authorized to complete upload_image action. (HTTP 403)

Case 2: Now normal user wants to create the image using image-create-via-import api but it will not allow to import the image as the policy is set in the first case.

$ glance image-create-via-import --name test --file spec_and_blueprint_content.txt --container-format 
      bare --disk-format raw --property os_distro=xyz
		+------------------+--------------------------------------+
		| Property         | Value                                |
		+------------------+--------------------------------------+
		| checksum         | None                                 |
		| container_format | bare                                 |
		| created_at       | 2017-11-13T07:23:25Z                 |
		| disk_format      | raw                                  |
		| id               | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
		| min_disk         | 0                                    |
		| min_ram          | 0                                    |
		| name             | test                                 |
		| os_distro        | xyz                                  |
		| owner            | d2b9f7372d2e481ca13a16bd526f9f14     |
		| protected        | False                                |
		| size             | None                                 |
		| status           | queued                               |
		| tags             | []                                   |
		| updated_at       | 2017-11-13T07:23:25Z                 |
		| virtual_size     | None                                 |
		| visibility       | shared                               |
		+------------------+--------------------------------------+
		403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-b75c 
                2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP 403)

So to overcome this we will need to add the separate policy for import image in policy.json