ca6d06695c
As it is, Glance correctly returns a 403 when one attempts to deactivate (reactivate) an image that is not in active (deactivated) status. A typo in the current spec incorrectly states that a 400 is returned in this situation. This patch corrects the typo. No code fix is required. Closes-Bug: #1445487 Change-Id: I7d7ed4716bffa69fa5f7f17145a1b64acc1cdbfa
273 lines
8.2 KiB
ReStructuredText
273 lines
8.2 KiB
ReStructuredText
======================================================
|
|
Provide the ability to temporarily deactivate an image
|
|
======================================================
|
|
|
|
https://blueprints.launchpad.net/glance/+spec/deactivate-image
|
|
|
|
This blueprint provides for a method to deactivate an image temporarily
|
|
to prevent download of image data (including booting a new instance from
|
|
the image). A method for reactivation is also described.
|
|
|
|
|
|
Problem description
|
|
===================
|
|
|
|
As the ability for users to import images from outside the cloud becomes
|
|
commonly available, a concern is the possibility for a user to import
|
|
a malicious or otherwise problematic image (e.g. an image containing a
|
|
trojan horse). If an image is deemed suspicious, an admin should be able to
|
|
put the image "on hold" preventing instances from being built with it until
|
|
it has be properly examined and determined to be safe or found dangerous and
|
|
deleted. All image properties will remain accessible and editable, but the
|
|
image will not be downloadable by non-admin users.
|
|
|
|
|
|
Proposed change
|
|
===============
|
|
|
|
To expose this ability, a new image state 'deactivated' will be introduced.
|
|
In order to transition into and out of this state, two new functional API
|
|
calls will be added to the REST interface (detailed below).
|
|
|
|
When an image is placed in the deactivated state, image data may not be
|
|
downloaded by a non-admin user. This will include all other operations (such
|
|
as export and cloning) which may need access to image data. Admins may continue
|
|
to download the data to facilitate testing and examination of the image.
|
|
Operations which do not access image data (e.g. update, delete, or image-list)
|
|
continue to operate as usual for deactivated images.
|
|
|
|
Only 'active' images may be deactivated. Images in the 'deactivated' state
|
|
may only transition to 'active' or 'deleted'. Deactivating a 'deactivated'
|
|
image or reactivating an 'active' image will succeed as no-ops.
|
|
|
|
Restrictions to the deactivate and reactivate functions can be handled through
|
|
the current policy mechanisms and thus the responsibility falls to the deployer
|
|
to implement / update the applicable policies per their specific requirements.
|
|
By default, only administrators will have permissions sufficient to deactivate
|
|
and reactivate an image.
|
|
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
No alternatives seem to be readily available. Policy changes were considered
|
|
but this is an action which needs to function on an image-by-image basis
|
|
regardless of role (other than admin) and across accounts (in the case of
|
|
shared images).
|
|
|
|
|
|
Data model impact
|
|
-----------------
|
|
|
|
None
|
|
|
|
|
|
REST API impact
|
|
---------------
|
|
|
|
The design for the deactivate and reactivate calls specified below follows the
|
|
controller pattern from Subbu Allamaraju, RESTful Web Services Cookbook
|
|
(O'Reilly, 2010), section 2.6. It was discussed by the OpenStack API Working
|
|
Group on the mailing list and at a series of meetings in February 2015. The
|
|
consensus was that this design is an appropriate pragmatic RESTful interface.
|
|
|
|
Using Glance tasks for deactivate/reactivate was discussed by the API WG, but
|
|
the consensus was that since Glance tasks are specifically designed for
|
|
asynchronous operations, their use was not appropriate here. The recommendation
|
|
is that any new asynchronous operations should be implemented in the tasks API,
|
|
but the controller pattern is appropriate for synchronous actions like
|
|
deactivate and reactivate.
|
|
|
|
The API WG concluded that this API design proposal was acceptable at its
|
|
meeting on 19 February 2015.
|
|
|
|
http://eavesdrop.openstack.org/meetings/api_wg/2015/api_wg.2015-02-19-00.00.log.html#l-146
|
|
|
|
* POST:/v2/images/{image_id}/actions/deactivate
|
|
* Description: Deactivate an image
|
|
* Method: POST
|
|
* Normal response code(s): 204
|
|
* Expected error http response code(s): 403
|
|
|
|
* When calling deactivate on an image which is not currently in the
|
|
'active' or 'deactivated' state.
|
|
|
|
* URL for the resource: /v2/images/{image_id}/actions/deactivate
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
* POST:/v2/images/{image_id}/actions/reactivate
|
|
* Description: Reactivate an image
|
|
* Method: POST
|
|
* Normal response code(s): 204
|
|
* Expected error http response code(s): 403
|
|
|
|
* When calling reactivate on an image which is not currently
|
|
in the 'deactivated' or 'active' state.
|
|
|
|
* URL for the resource: /v2/images/{image_id}/actions/reactivate
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
* GET:/v2/images/{image_id}/file
|
|
* Description: Downloads binary image data.
|
|
* Method: GET
|
|
* Normal response code(s): 200, 204
|
|
* Expected error http response code(s): 403
|
|
|
|
* When attempting to download a deactivated image
|
|
|
|
* URL for the resource: /v2/images/{image_id}/file
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
* GET:/v2/images/{image_id}
|
|
* Description: Retrieve the image metadata
|
|
* Method: GET
|
|
* Normal response code(s): 200
|
|
|
|
* Retrieving image metadata for a deactivated image will continue
|
|
to function normally
|
|
|
|
* Expected error http response code(s): None
|
|
* URL for the resource: /v2/images/{image_id}
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
* GET:/v1/images/{image_id}
|
|
* Description: Returns the image details as headers and the image binary in the body of the response.
|
|
* Method: GET
|
|
* Normal response code(s): 200
|
|
* Expected error http response code(s): 403
|
|
|
|
* When attempting to download a deactivated image
|
|
|
|
* URL for the resource: /v1/images/{image_id}
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
* HEAD:/v1/images/{image_id}
|
|
* Description: Retrieve the image metadata
|
|
* Method: HEAD
|
|
* Normal response code(s): 204
|
|
|
|
* Retrieving image metadata for a deactivated image will continue
|
|
to function normally
|
|
|
|
* Expected error http response code(s): None
|
|
* URL for the resource: /v1/images/{image_id}
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
|
|
Security impact
|
|
---------------
|
|
|
|
This change enhances security of the overall system by giving administrators
|
|
the ability to suspend usage of potentially malicious images while they are
|
|
being audited.
|
|
|
|
There are no negative security impacts.
|
|
|
|
|
|
Notifications impact
|
|
--------------------
|
|
|
|
None
|
|
|
|
|
|
Other end user impact
|
|
---------------------
|
|
|
|
Support for the new API operations should be added to python-glanceclient.
|
|
|
|
End users will be unable to perform any operations on a deactivated image which
|
|
requires access to the image data. This would include downloading, booting, and
|
|
exporting the image.
|
|
|
|
Performance Impact
|
|
------------------
|
|
|
|
None
|
|
|
|
|
|
Other deployer impact
|
|
---------------------
|
|
|
|
In order to restrict access to these operations, deployers will need to
|
|
configure the 'deactivate' and 'reactivate' policies accordingly.
|
|
|
|
|
|
Developer impact
|
|
----------------
|
|
|
|
None
|
|
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
eddie-sheffield
|
|
|
|
Other contributors:
|
|
None
|
|
|
|
Reviewers
|
|
---------
|
|
|
|
Core reviewer(s):
|
|
nikhil-komawar
|
|
|
|
Other reviewer(s):
|
|
hemanth-makkapati
|
|
|
|
Work Items
|
|
----------
|
|
|
|
* Add allowed state transistions
|
|
* Add image actions controller to v2 api
|
|
* Add 'deactivate' action to controller and router
|
|
* Add 'activate' action to controller and router
|
|
* Add policy checks for 'deactivate' and 'reactivate'
|
|
* Add check for deactivated image on download to v2 api
|
|
* Add check for deactivated image on download to v1 api
|
|
|
|
|
|
Dependencies
|
|
============
|
|
|
|
None
|
|
|
|
|
|
Testing
|
|
=======
|
|
|
|
Tempest tests for the new operations and verifying download restrictions on
|
|
deactivated images need to be added.
|
|
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
Documentation is required for:
|
|
|
|
* The new API functions
|
|
* The new policies (as described in Other Deployer Impact)
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
Earlier version of this spec from the wiki:
|
|
* https://wiki.openstack.org/wiki/Glance-deactivate-image
|
|
|
|
Discussions concerning the "Function API" approach used here:
|
|
* https://etherpad.openstack.org/p/glance-adding-functional-operations-to-api
|
|
* http://lists.openstack.org/pipermail/openstack-dev/2014-May/036416.html
|
|
* http://osdir.com/ml/openstack-dev/2015-02/msg01563.html
|
|
* "RESTful Web Services Cookbook, Section 2.6" - http://it-ebooks.info/book/392/
|