Glance

interoperable image import requires exposing the tasks api

Bug #1711468 reported by Brian Rosmaita on 2017-08-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Critical	Brian Rosmaita	Glance pike-rc2 "15.0.0.0rc2"

Bug Description

The Tasks API was made admin-only in Mitaka by changing the get_task, get_tasks, add_task, and modify_task policies to require "role:admin" by default. The interoperable image import process introduced in Pike requires an ordinary user to have (at least) the add_task permission (although the user does not create the task directly, and in fact, should have no knowledge that a task is being used behind the scenes to do the image import).

We need a way to allow non-admin credentials to manipulate tasks, but not allow access to tasks directly via the Tasks API.

It would be nice to get this resolved in Pike. Otherwise operators may not want to try out the interoperable image import.

Tags:

Brian Rosmaita (brian-rosmaita) on 2017-08-17

Changed in glance:
assignee:	nobody → Brian Rosmaita (brian-rosmaita)
importance:	Undecided → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-17: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/494732

Changed in glance:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-18: Fix merged to glance (master)

Reviewed: https://review.openstack.org/494732
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=b90ad2524fd1c80e33930191b415c67a91904fd9
Submitter: Jenkins
Branch: master

commit b90ad2524fd1c80e33930191b415c67a91904fd9
Author: Brian Rosmaita <email address hidden>
Date: Thu Aug 17 18:21:25 2017 -0400

Add 'tasks_api_access' policy

    The Tasks API was made admin-only in Mitaka to prevent it from being
    exposed directly to end users. The interoperable image import
    process introduced in Pike uses the tasks engine to perform the
    import. This patch introduces a new policy, 'tasks_api_access',
    that determines whether a user can make Tasks API calls.

    The currently existing task-related policies are retained so that
    operators can have fine-grained control over tasks. With this
    new policy, operators can restrict Tasks API access to admins,
    while at the same time, admin-level credentials are not required
    for glance to perform task-related functions on behalf of users.

Change-Id: I3f66f7efa7c377d999a88457fc6492701a894f34
Closes-bug: #1711468

Changed in glance:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-18: Fix proposed to glance (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/495378

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-21: Fix merged to glance (stable/pike)

Reviewed: https://review.openstack.org/495378
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=f6d384f1849cb2a20cbd510b622ff318719a8fce
Submitter: Jenkins
Branch: stable/pike

commit f6d384f1849cb2a20cbd510b622ff318719a8fce
Author: Brian Rosmaita <email address hidden>
Date: Thu Aug 17 18:21:25 2017 -0400

Add 'tasks_api_access' policy

    Change-Id: I3f66f7efa7c377d999a88457fc6492701a894f34
    Closes-bug: #1711468
    (cherry picked from commit b90ad2524fd1c80e33930191b415c67a91904fd9)