======================================================
Provide the ability to temporarily deactivate an image
======================================================

https://blueprints.launchpad.net/glance/+spec/deactivate-image

This blueprint provides for a method to deactivate an image temporarily
to prevent download of image data (including booting a new instance from
the image). A method for reactivation is also described.


Problem description
===================

As the ability for users to import images from outside the cloud becomes
commonly available, a concern is the possibility for a user to import
a malicious or otherwise problematic image (e.g. an image containing a
trojan horse). If an image is deemed suspicious, an admin should be able to
put the image "on hold" preventing instances from being built with it until
it has be properly examined and determined to be safe or found dangerous and
deleted. All image properties will remain accessible and editable, but the
image will not be downloadable by non-admin users.


Proposed change
===============

To expose this ability, a new image state 'deactivated' will be introduced.
In order to transition into and out of this state, two new functional API
calls will be added to the REST interface (detailed below).

When an image is placed in the deactivated state, image data may not be
downloaded by a non-admin user. This will include all other operations (such
as export and cloning) which may need access to image data. Admins may continue
to download the data to facilitate testing and examination of the image.
Operations which do not access image data (e.g. update, delete, or image-list)
continue to operate as usual for deactivated images.

Only 'active' images may be deactivated. Images in the 'deactivated' state
may only transition to 'active' or 'deleted'. Deactivating a 'deactivated'
image or reactivating an 'active' image will succeed as no-ops.

Restrictions to the deactivate and reactivate functions can be handled through
the current policy mechanisms and thus the responsibility falls to the deployer
to implement / update the applicable policies per their specific requirements.
By default, only administrators will have permissions sufficient to deactivate
and reactivate an image.


Alternatives
------------

No alternatives seem to be readily available. Policy changes were considered
but this is an action which needs to function on an image-by-image basis
regardless of role (other than admin) and across accounts (in the case of
shared images).


Data model impact
-----------------

None


REST API impact
---------------

The design for the deactivate and reactivate calls specified below follows the
controller pattern from Subbu Allamaraju, RESTful Web Services Cookbook
(O'Reilly, 2010), section 2.6. It was discussed by the OpenStack API Working
Group on the mailing list and at a series of meetings in February 2015. The
consensus was that this design is an appropriate pragmatic RESTful interface.

Using Glance tasks for deactivate/reactivate was discussed by the API WG, but
the consensus was that since Glance tasks are specifically designed for
asynchronous operations, their use was not appropriate here. The recommendation
is that any new asynchronous operations should be implemented in the tasks API,
but the controller pattern is appropriate for synchronous actions like
deactivate and reactivate.

The API WG concluded that this API design proposal was acceptable at its
meeting on 19 February 2015.

http://eavesdrop.openstack.org/meetings/api_wg/2015/api_wg.2015-02-19-00.00.log.html#l-146

* POST:/v2/images/{image_id}/actions/deactivate
  * Description: Deactivate an image
  * Method: POST
  * Normal response code(s): 204
  * Expected error http response code(s): 403

    * When calling deactivate on an image which is not currently in the 
      'active' or 'deactivated' state.

  * URL for the resource: /v2/images/{image_id}/actions/deactivate
  * Parameters which can be passed via the url
    {image_id}, String, The ID for the image.

* POST:/v2/images/{image_id}/actions/reactivate
  * Description: Reactivate an image
  * Method: POST
  * Normal response code(s): 204
  * Expected error http response code(s): 403

    * When calling reactivate on an image which is not currently
      in the 'deactivated' or 'active' state.

  * URL for the resource: /v2/images/{image_id}/actions/reactivate
  * Parameters which can be passed via the url
    {image_id}, String, The ID for the image.

* GET:/v2/images/{image_id}/file
  * Description: Downloads binary image data.
  * Method: GET
  * Normal response code(s): 200, 204
  * Expected error http response code(s): 403
 
   * When attempting to download a deactivated image

  * URL for the resource: /v2/images/{image_id}/file
  * Parameters which can be passed via the url
    {image_id}, String, The ID for the image.

* GET:/v2/images/{image_id}
  * Description: Retrieve the image metadata
  * Method: GET
  * Normal response code(s): 200

    * Retrieving image metadata for a deactivated image will continue
      to function normally

  * Expected error http response code(s): None
  * URL for the resource: /v2/images/{image_id}
  * Parameters which can be passed via the url
    {image_id}, String, The ID for the image.

* GET:/v1/images/{image_id}
  * Description: Returns the image details as headers and the image binary in the body of the response.
  * Method: GET
  * Normal response code(s): 200
  * Expected error http response code(s): 403

    * When attempting to download a deactivated image

  * URL for the resource: /v1/images/{image_id}
  * Parameters which can be passed via the url
    {image_id}, String, The ID for the image.

* HEAD:/v1/images/{image_id}
  * Description: Retrieve the image metadata
  * Method: HEAD
  * Normal response code(s): 204

    * Retrieving image metadata for a deactivated image will continue
      to function normally

  * Expected error http response code(s): None
  * URL for the resource: /v1/images/{image_id}
  * Parameters which can be passed via the url
    {image_id}, String, The ID for the image.


Security impact
---------------

This change enhances security of the overall system by giving administrators
the ability to suspend usage of potentially malicious images while they are
being audited.

There are no negative security impacts.


Notifications impact
--------------------

None


Other end user impact
---------------------

Support for the new API operations should be added to python-glanceclient.

End users will be unable to perform any operations on a deactivated image which
requires access to the image data. This would include downloading, booting, and
exporting the image.

Performance Impact
------------------

None


Other deployer impact
---------------------

In order to restrict access to these operations, deployers will need to
configure the 'deactivate' and 'reactivate' policies accordingly.


Developer impact
----------------

None


Implementation
==============

Assignee(s)
-----------

Primary assignee:
  eddie-sheffield

Other contributors:
  None

Reviewers
---------

Core reviewer(s):
  nikhil-komawar

Other reviewer(s):
  hemanth-makkapati

Work Items
----------

* Add allowed state transistions
* Add image actions controller to v2 api
* Add 'deactivate' action to controller and router
* Add 'activate' action to controller and router
* Add policy checks for 'deactivate' and 'reactivate'
* Add check for deactivated image on download to v2 api
* Add check for deactivated image on download to v1 api


Dependencies
============

None


Testing
=======

Tempest tests for the new operations and verifying download restrictions on
deactivated images need to be added.


Documentation Impact
====================

Documentation is required for:

* The new API functions
* The new policies (as described in Other Deployer Impact)


References
==========

Earlier version of this spec from the wiki:
* https://wiki.openstack.org/wiki/Glance-deactivate-image

Discussions concerning the "Function API" approach used here:
* https://etherpad.openstack.org/p/glance-adding-functional-operations-to-api
* http://lists.openstack.org/pipermail/openstack-dev/2014-May/036416.html
* http://osdir.com/ml/openstack-dev/2015-02/msg01563.html
* "RESTful Web Services Cookbook, Section 2.6" - http://it-ebooks.info/book/392/