I'm guessing some non-default configuration options are required to enable this? (eg, show_image_direct_url?)
cfg.BoolOpt('show_image_direct_url', default=False, help=_('Whether to include the backend image storage location ' 'in image properties. Revealing storage location can ' 'be a security risk, so use this setting with ' 'caution!')),
> sets custom location
Does this also need a non-default config option?
cfg.BoolOpt('show_multiple_locations', default=False, help=_('Whether to include the backend image locations ' 'in image properties. ' 'For example, if using the file system store a URL of ' '"file:///path/to/image" will be returned to the user ' 'in the \'direct_url\' meta-data field. ' 'Revealing storage location can ' 'be a security risk, so use this setting with ' 'caution! ' 'Setting this to true overrides the ' 'show_image_direct_url option.')),
Should we plan to restrict the xxx_image_location policies by default? eg,
"set_image_location": "",
In your example you're using the rbd store. Is there a set of options which allow using that store safely? eg can show_image_direct_url be set to 'false' and show_multiple_locations be set false for that store?
It seems that this may be worse for some stores than others. Eg if users have configured the swift store the old fashioned way they may get the credentials for the swift single tenant user -- allowing deleting *all* users' images, including private images, and also injecting bad images (though the checksum will provide some protection).
If access to the locations via the Glance API is required for some stores to work, should we consider restricting their display to 'admins' or the image owner by default?
Thanks Mike.
I'm guessing some non-default configuration options are required to enable this? (eg, show_image_ direct_ url?)
cfg. BoolOpt( 'show_image_ direct_ url', default=False,
help= _('Whether to include the backend image storage location '
'in image properties. Revealing storage location can '
'be a security risk, so use this setting with '
'caution! ')),
> sets custom location
Does this also need a non-default config option?
cfg. BoolOpt( 'show_multiple_ locations' , default=False,
help= _('Whether to include the backend image locations '
'in image properties. '
'For example, if using the file system store a URL of '
'"file: ///path/ to/image" will be returned to the user '
'in the \'direct_url\' meta-data field. '
'Revealing storage location can '
'be a security risk, so use this setting with '
'caution! '
'Setting this to true overrides the '
'show_ image_direct_ url option.')),
Should we plan to restrict the xxx_image_location policies by default? eg,
"set_ image_location" : "",
In your example you're using the rbd store. Is there a set of options which allow using that store safely? eg can show_image_ direct_ url be set to 'false' and show_multiple_ locations be set false for that store?
It seems that this may be worse for some stores than others. Eg if users have configured the swift store the old fashioned way they may get the credentials for the swift single tenant user -- allowing deleting *all* users' images, including private images, and also injecting bad images (though the checksum will provide some protection).
If access to the locations via the Glance API is required for some stores to work, should we consider restricting their display to 'admins' or the image owner by default?