Comment 2 for bug 1669630

After checking the glance API model, I start to think a new API sounds appropriate.

I checked the sharing feature of glance API. Glance image sharing is an opt-out model.
The API is described at [0] and the concept.
"member" can take three status "pending", "accepted" and "rejected".
Image with pending status is not visible in the default image list, but they can use the image to boot an instance.
This looks a good balance of opt-in and opt-out.

In our current API of neutron RBAC, shared networks are listed in network list, so even if we adopt the model similar to glance one, the API behavior would be backward incompatible. A new API sounds better to me now.

[0] https://developer.openstack.org/api-ref/image/v2/index.html#sharing
[1] http://specs.openstack.org/openstack/glance-specs/specs/api/v2/sharing-image-api-v2.html#producer-consumer-communication
[2] http://specs.openstack.org/openstack/glance-specs/specs/api/v2/sharing-image-api-v2.html#image-member-status-values