Make the task's API admin only by default

One of the goals of this spec is to improve the image import process and allow for other background operations to be executed when the image data is added. This supersedes the need of the task endpoint that we'll slowly deprecate. As part of this spec, we should make it admin only and warn deployers that this API is going to be deprecated. MitakaPriority DocImpact: Tasks API is now admin only. Deployments depending on this API need to make sure they make it accessible for non-admins. Closes-bug: #1527716 Partially-blueprint: image-import-refactor Change-Id: I28cb69ea730ae58b9aed1dd43b68305dbbf132c1
2016-01-08 16:38:49 -04:30 · 2016-01-08 16:38:49 -04:30 · 8f0d6ea9c5
commit 8f0d6ea9c5
parent bdee4bbbed
5 changed files with 43 additions and 9 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -25,10 +25,10 @@

    "manage_image_cache": "role:admin",

-    "get_task": "",
-    "get_tasks": "",
-    "add_task": "",
-    "modify_task": "",
+    "get_task": "role:admin",
+    "get_tasks": "role:admin",
+    "add_task": "role:admin",
+    "modify_task": "role:admin",

    "deactivate": "",
    "reactivate": "",
--- a/glance/api/v2/tasks.py
+++ b/glance/api/v2/tasks.py
@ -16,6 +16,7 @@

 import copy

+import debtcollector
 import glance_store
 from oslo_config import cfg
 from oslo_log import log as logging
@ -42,6 +43,14 @@ LOG = logging.getLogger(__name__)
 CONF = cfg.CONF
 CONF.import_opt('task_time_to_live', 'glance.common.config', group='task')

+_DEPRECATION_MESSAGE = ("The task API is being deprecated and "
+                        "it will be superseded by the new image import "
+                        "API. Please refer to this link for more "
+                        "information about the aforementioned process: "
+                        "https://specs.openstack.org/openstack/glance-specs/"
+                        "specs/mitaka/approved/image-import/"
+                        "image-import-refactor.html")
+

 class TasksController(object):
    """Manages operations on tasks."""
@ -55,6 +64,7 @@ class TasksController(object):
        self.gateway = glance.gateway.Gateway(self.db_api, self.store_api,
                                              self.notifier, self.policy)

+    @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
    def create(self, req, task):
        task_factory = self.gateway.get_task_factory(req.context)
        executor_factory = self.gateway.get_task_executor_factory(req.context)
@ -74,6 +84,7 @@ class TasksController(object):
            raise webob.exc.HTTPForbidden(explanation=e.msg)
        return new_task

+    @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
    def index(self, req, marker=None, limit=None, sort_key='created_at',
              sort_dir='desc', filters=None):
        result = {}
@ -101,6 +112,7 @@ class TasksController(object):
        result['tasks'] = tasks
        return result

+    @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
    def get(self, req, task_id):
        try:
            task_repo = self.gateway.get_task_repo(req.context)
@ -120,6 +132,7 @@ class TasksController(object):
            raise webob.exc.HTTPForbidden(explanation=e.msg)
        return task

+    @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
    def delete(self, req, task_id):
        msg = (_("This operation is currently not permitted on Glance Tasks. "
                 "They are auto deleted after reaching the time based on "
--- a/glance/tests/etc/policy.json
+++ b/glance/tests/etc/policy.json
@ -26,10 +26,10 @@

    "manage_image_cache": "",

-    "get_task": "",
-    "get_tasks": "",
-    "add_task": "",
-    "modify_task": "",
+    "get_task": "role:admin",
+    "get_tasks": "role:admin",
+    "add_task": "role:admin",
+    "modify_task": "role:admin",

    "get_metadef_namespace": "",
    "get_metadef_namespaces":"",
--- a/glance/tests/functional/v2/test_tasks.py
+++ b/glance/tests/functional/v2/test_tasks.py
@ -44,11 +44,19 @@ class TestTasks(functional.FunctionalTest):
            'X-Auth-Token': '932c5c84-02ac-4fe5-a9ba-620af0e2bb96',
            'X-User-Id': 'f9a41d13-0c13-47e9-bee2-ce4e8bfe958e',
            'X-Tenant-Id': TENANT1,
-            'X-Roles': 'member',
+            'X-Roles': 'admin',
        }
        base_headers.update(custom_headers or {})
        return base_headers

+    def test_task_not_allowed_non_admin(self):
+        self.start_servers(**self.__dict__.copy())
+        roles = {'X-Roles': 'member'}
+        # Task list should be empty
+        path = self._url('/v2/tasks')
+        response = requests.get(path, headers=self._headers(roles))
+        self.assertEqual(403, response.status_code)
+
    def test_task_lifecycle(self):
        self.start_servers(**self.__dict__.copy())
        # Task list should be empty
--- a/releasenotes/notes/make-task-api-admin-only-by-default-7def996262e18f7a.yaml
+++ b/releasenotes/notes/make-task-api-admin-only-by-default-7def996262e18f7a.yaml
@ -0,0 +1,13 @@
+---
+deprecations:
+  - The task API was added to allow users for uploading images asynchronously
+    and for deployers to have more control in the upload process. Unfortunately,
+    this API has not worked the way it was expected to. Therefore, the task API
+    has entered a deprecation period and it is meant to be replaced by the new
+    import API. This change makes the task API admin only by default so that it
+    is not accidentally deployed as a public API.
+upgrade:
+  - The task API is being deprecated and it has been made admin only. If deployers
+    of Glance would like to have this API as a public one, it is necessary to
+    change the `policy.json` file and remove `role:admin` from every `task`
+    related field.