Add a policy to control copy-from functionality

Bug #1153614 reported by Stuart McLaren on 2013-03-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
John Bresnahan

Bug Description

It might be useful to have a policy to control whether the copy-from functionality can be used or not, eg:

$ cat /etc/glance/policy.json
    "default": "",
    "manage_image_cache": "role:admin",
    "publicize_image": "role:admin",
    "copy_from": "role:admin" <<<

this would allow an operator to enable/disable the copy-from functionality for regular users, and if desired, prevent data being copied from 'external' sources.

Changed in glance:
milestone: none → havana-1
importance: Undecided → Medium
status: New → Triaged
Changed in glance:
assignee: nobody → John Bresnahan (jbresnah)

Fix proposed to branch: master

Changed in glance:
status: Triaged → In Progress
Mark Washenberger (markwash) wrote :

Is there ever a reason to have "copy_from" restrict differently than "image_upload"? I suspect the answer is yes, but I want to understand why.

John Bresnahan (jbresnah) wrote :

Mark, here are a couple of reasons that I thought of (tho none come from a real world scenario that I have seen):

A malicious user could use copy_from functionality to use Glance to download data and avoid having their IP address known/logged/blocked.

Host based authentication could be put in place by a repository such that the Glance server is the only endpoint allowed to download data, thus copy_from (or --location) would be the only way for users to access it. An admin may want to limit what users could access it.

This question dovetails into another that I had. Should there be a whitelist or blacklist of host/urls with which Glance will allow the use of copy_from or location?

Stuart McLaren (stuart-mclaren) wrote :

Hi Mark,

The copy_from policy could be considered one of the pieces required to support an implied policy: only allow data upload/download via the API endpoint. ie if you combine it with set_image_location and also pare down the 'known_stores'
store types this is the behaviour you get.

Why might you want to turn off copy_from?

1) Network hardware: you may want all data to be pushed through your load balancers/rate limiters. The copy from means uploaded data would go straight to your server, bypassing the usual upload path
2) Secure sites: You may have a site policy mandating that all traffic uses SSL. If the swift store is enabled you could copy from a plain http swift store .

Submitter: Jenkins
Branch: master

commit b1ac90f7914d91b25144cc4063fa994fb5019ee3
Author: John Bresnahan <email address hidden>
Date: Wed Mar 27 14:03:38 2013 -1000

    Add a policy handler to control copy-from functionality

    This patch adds the ability to set a policy handler to control what
    users can use the 'copy_from' feature in the v1 API.

    Fixes bug: 1153614

    Change-Id: Ie194979a2aa66c9327bf14d7a85ead6f773a6079

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-05-29
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in glance:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers