Glance

Add a policy to control copy-from functionality

Bug #1153614 reported by Stuart McLaren
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Medium
John Bresnahan
Glance 2013.2 "havana"

Bug Description

It might be useful to have a policy to control whether the copy-from functionality can be used or not, eg:

$ cat /etc/glance/policy.json
{
    "default": "",
    "manage_image_cache": "role:admin",
    "publicize_image": "role:admin",
    "copy_from": "role:admin" <<<
}

this would allow an operator to enable/disable the copy-from functionality for regular users, and if desired, prevent data being copied from 'external' sources.

Mark Washenberger (markwash)
Changed in glance:
milestone: none → havana-1
importance: Undecided → Medium
status: New → Triaged
John Bresnahan (jbresnah)
Changed in glance:
assignee: nobody → John Bresnahan (jbresnah)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/25591

Changed in glance:
status: Triaged → In Progress
Revision history for this message
Mark Washenberger (markwash) wrote :

Is there ever a reason to have "copy_from" restrict differently than "image_upload"? I suspect the answer is yes, but I want to understand why.

Revision history for this message
John Bresnahan (jbresnah) wrote :

Mark, here are a couple of reasons that I thought of (tho none come from a real world scenario that I have seen):

A malicious user could use copy_from functionality to use Glance to download data and avoid having their IP address known/logged/blocked.

Host based authentication could be put in place by a repository such that the Glance server is the only endpoint allowed to download data, thus copy_from (or --location) would be the only way for users to access it. An admin may want to limit what users could access it.

This question dovetails into another that I had. Should there be a whitelist or blacklist of host/urls with which Glance will allow the use of copy_from or location?

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Hi Mark,

The copy_from policy could be considered one of the pieces required to support an implied policy: only allow data upload/download via the API endpoint. ie if you combine it with set_image_location and also pare down the 'known_stores'
store types this is the behaviour you get.

Why might you want to turn off copy_from?

1) Network hardware: you may want all data to be pushed through your load balancers/rate limiters. The copy from means uploaded data would go straight to your server, bypassing the usual upload path
2) Secure sites: You may have a site policy mandating that all traffic uses SSL. If the swift store is enabled you could copy from a plain http swift store .

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/25591
Committed: http://github.com/openstack/glance/commit/b1ac90f7914d91b25144cc4063fa994fb5019ee3
Submitter: Jenkins
Branch: master

commit b1ac90f7914d91b25144cc4063fa994fb5019ee3
Author: John Bresnahan <email address hidden>
Date: Wed Mar 27 14:03:38 2013 -1000

    Add a policy handler to control copy-from functionality

    This patch adds the ability to set a policy handler to control what
    users can use the 'copy_from' feature in the v1 API.

    Fixes bug: 1153614

    Change-Id: Ie194979a2aa66c9327bf14d7a85ead6f773a6079

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.