We should try to prevent users setting 'status' via v1, but without breaking
existing benign API calls such as these.
I've adopted the following approach (which has some prior art in 'protected properties').
If a PUT request is received which contains an x-image-meta-status header:
* The user provided status is ignored if it matches the current image
status (this prevents benign calls such as the nova one above from
breaking). The usual code (eg 200) will be returned.
* If the user provided status doesn't match the current image status (ie
there is a real attempt to change the value) 403 will be returned. This
will break any calls which currently intentionally change the status.
Reviewed: https:/ /review. openstack. org/226336 /git.openstack. org/cgit/ openstack/ glance/ commit/ ?id=34f9f037136 061f7437761e86e a9f0864b297619
Committed: https:/
Submitter: Jenkins
Branch: master
commit 34f9f037136061f 7437761e86ea9f0 864b297619
Author: Stuart McLaren <email address hidden>
Date: Tue Aug 11 10:37:09 2015 +0000
Prevent image status being directly modified via v1
Users shouldn't be able to change an image's status directly via the
v1 API.
Some existing consumers of Glance set the x-image-meta-status header in
requests to the Glance API, eg:
https:/ /github. com/openstack/ nova/blob/ master/ plugins/ xenserver/ xenapi/ etc/xapi. d/plugins/ glance# L184
We should try to prevent users setting 'status' via v1, but without breaking
existing benign API calls such as these.
I've adopted the following approach (which has some prior art in 'protected properties').
If a PUT request is received which contains an x-image-meta-status header:
* The user provided status is ignored if it matches the current image
status (this prevents benign calls such as the nova one above from
breaking). The usual code (eg 200) will be returned.
* If the user provided status doesn't match the current image status (ie
there is a real attempt to change the value) 403 will be returned. This
will break any calls which currently intentionally change the status.
APIImpact
Closes-bug: 1482371
Change-Id: I44fadf32abb57c 962b67467091c3f 51c1ccc25e6