From 8f0d6ea9c535f6ab09fc9b2ae84cf0bef2401ee4 Mon Sep 17 00:00:00 2001 From: Flavio Percoco Date: Fri, 8 Jan 2016 16:38:49 -0430 Subject: [PATCH] Make the task's API admin only by default One of the goals of this spec is to improve the image import process and allow for other background operations to be executed when the image data is added. This supersedes the need of the task endpoint that we'll slowly deprecate. As part of this spec, we should make it admin only and warn deployers that this API is going to be deprecated. MitakaPriority DocImpact: Tasks API is now admin only. Deployments depending on this API need to make sure they make it accessible for non-admins. Closes-bug: #1527716 Partially-blueprint: image-import-refactor Change-Id: I28cb69ea730ae58b9aed1dd43b68305dbbf132c1 --- etc/policy.json | 8 ++++---- glance/api/v2/tasks.py | 13 +++++++++++++ glance/tests/etc/policy.json | 8 ++++---- glance/tests/functional/v2/test_tasks.py | 10 +++++++++- ...-api-admin-only-by-default-7def996262e18f7a.yaml | 13 +++++++++++++ 5 files changed, 43 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/make-task-api-admin-only-by-default-7def996262e18f7a.yaml diff --git a/etc/policy.json b/etc/policy.json index 4bbc8b46c6..f49bc08460 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -25,10 +25,10 @@ "manage_image_cache": "role:admin", - "get_task": "", - "get_tasks": "", - "add_task": "", - "modify_task": "", + "get_task": "role:admin", + "get_tasks": "role:admin", + "add_task": "role:admin", + "modify_task": "role:admin", "deactivate": "", "reactivate": "", diff --git a/glance/api/v2/tasks.py b/glance/api/v2/tasks.py index afff3d9784..ba5050a3ba 100644 --- a/glance/api/v2/tasks.py +++ b/glance/api/v2/tasks.py @@ -16,6 +16,7 @@ import copy +import debtcollector import glance_store from oslo_config import cfg from oslo_log import log as logging @@ -42,6 +43,14 @@ LOG = logging.getLogger(__name__) CONF = cfg.CONF CONF.import_opt('task_time_to_live', 'glance.common.config', group='task') +_DEPRECATION_MESSAGE = ("The task API is being deprecated and " + "it will be superseded by the new image import " + "API. Please refer to this link for more " + "information about the aforementioned process: " + "https://specs.openstack.org/openstack/glance-specs/" + "specs/mitaka/approved/image-import/" + "image-import-refactor.html") + class TasksController(object): """Manages operations on tasks.""" @@ -55,6 +64,7 @@ class TasksController(object): self.gateway = glance.gateway.Gateway(self.db_api, self.store_api, self.notifier, self.policy) + @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE) def create(self, req, task): task_factory = self.gateway.get_task_factory(req.context) executor_factory = self.gateway.get_task_executor_factory(req.context) @@ -74,6 +84,7 @@ class TasksController(object): raise webob.exc.HTTPForbidden(explanation=e.msg) return new_task + @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE) def index(self, req, marker=None, limit=None, sort_key='created_at', sort_dir='desc', filters=None): result = {} @@ -101,6 +112,7 @@ class TasksController(object): result['tasks'] = tasks return result + @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE) def get(self, req, task_id): try: task_repo = self.gateway.get_task_repo(req.context) @@ -120,6 +132,7 @@ class TasksController(object): raise webob.exc.HTTPForbidden(explanation=e.msg) return task + @debtcollector.removals.remove(message=_DEPRECATION_MESSAGE) def delete(self, req, task_id): msg = (_("This operation is currently not permitted on Glance Tasks. " "They are auto deleted after reaching the time based on " diff --git a/glance/tests/etc/policy.json b/glance/tests/etc/policy.json index 8dd0d1dc89..41665e98ec 100644 --- a/glance/tests/etc/policy.json +++ b/glance/tests/etc/policy.json @@ -26,10 +26,10 @@ "manage_image_cache": "", - "get_task": "", - "get_tasks": "", - "add_task": "", - "modify_task": "", + "get_task": "role:admin", + "get_tasks": "role:admin", + "add_task": "role:admin", + "modify_task": "role:admin", "get_metadef_namespace": "", "get_metadef_namespaces":"", diff --git a/glance/tests/functional/v2/test_tasks.py b/glance/tests/functional/v2/test_tasks.py index 619fa803cf..5522ba27d5 100644 --- a/glance/tests/functional/v2/test_tasks.py +++ b/glance/tests/functional/v2/test_tasks.py @@ -44,11 +44,19 @@ class TestTasks(functional.FunctionalTest): 'X-Auth-Token': '932c5c84-02ac-4fe5-a9ba-620af0e2bb96', 'X-User-Id': 'f9a41d13-0c13-47e9-bee2-ce4e8bfe958e', 'X-Tenant-Id': TENANT1, - 'X-Roles': 'member', + 'X-Roles': 'admin', } base_headers.update(custom_headers or {}) return base_headers + def test_task_not_allowed_non_admin(self): + self.start_servers(**self.__dict__.copy()) + roles = {'X-Roles': 'member'} + # Task list should be empty + path = self._url('/v2/tasks') + response = requests.get(path, headers=self._headers(roles)) + self.assertEqual(403, response.status_code) + def test_task_lifecycle(self): self.start_servers(**self.__dict__.copy()) # Task list should be empty diff --git a/releasenotes/notes/make-task-api-admin-only-by-default-7def996262e18f7a.yaml b/releasenotes/notes/make-task-api-admin-only-by-default-7def996262e18f7a.yaml new file mode 100644 index 0000000000..b1958e2793 --- /dev/null +++ b/releasenotes/notes/make-task-api-admin-only-by-default-7def996262e18f7a.yaml @@ -0,0 +1,13 @@ +--- +deprecations: + - The task API was added to allow users for uploading images asynchronously + and for deployers to have more control in the upload process. Unfortunately, + this API has not worked the way it was expected to. Therefore, the task API + has entered a deprecation period and it is meant to be replaced by the new + import API. This change makes the task API admin only by default so that it + is not accidentally deployed as a public API. +upgrade: + - The task API is being deprecated and it has been made admin only. If deployers + of Glance would like to have this API as a public one, it is necessary to + change the `policy.json` file and remove `role:admin` from every `task` + related field. \ No newline at end of file