From 52eaa56e40a5649c6c8da1c4e5204331d07b63aa Mon Sep 17 00:00:00 2001 From: Abhishek Kekane Date: Fri, 24 Jul 2020 07:46:53 +0000 Subject: [PATCH] [Doc] Policy support to copy unowned images Change-Id: If0fd74d9f2eecb21153493457c58d767f12ffdeb --- api-ref/source/v2/images-import.inc | 5 +++++ doc/source/admin/interoperable-image-import.rst | 14 +++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/api-ref/source/v2/images-import.inc b/api-ref/source/v2/images-import.inc index aeda220883..6603f2070f 100644 --- a/api-ref/source/v2/images-import.inc +++ b/api-ref/source/v2/images-import.inc @@ -284,6 +284,11 @@ If you are using the ``copy-image`` import method: the user. In case of a partial success, the locations added to the image will be the stores where the data has been correctly uploaded. +- By default, you may perform the copy-image operation only on images that + you own. This action is governed by policy, so some users may be granted + permission to copy unowned images. Consult your cloud's local + documentation for details. + **Synchronous Postconditions** - With correct permissions, you can see the image status as diff --git a/doc/source/admin/interoperable-image-import.rst b/doc/source/admin/interoperable-image-import.rst index 4a56357f65..965bdfdf52 100644 --- a/doc/source/admin/interoperable-image-import.rst +++ b/doc/source/admin/interoperable-image-import.rst @@ -214,7 +214,12 @@ Configuring the copy-image method For the ``copy-image`` method, make sure that ``copy-image`` is included in the list specified by your ``enabled_import_methods`` setting as well -as you have multiple glance backends configured in your environment. +as you have multiple glance backends configured in your environment. To +allow copy-image operation to be performed by users on images they do +not own, you can set the `copy_image` policy to something other than +the default, for example:: + + "copy_image": "'public':%(visibility)s" .. _iir_plugins: @@ -223,6 +228,13 @@ Copying existing-image in multiple stores Starting with Ussuri release, it is possible to copy existing image data into multiple stores using interoperable image import workflow. +Basically user will be able to copy only those images which are +owned by him. Unless the copying of unowned images are allowed by +cloud operator by enforcing policy check, user will get Forbidden +(Operation not permitted response) for such copy operations. Even if +copying of unowned images is allowed by enforcing policy, ownership of +the image remains unchanged. + Operator or end user can either copy the existing image by specifying ``all_stores`` as True in request body or by passing list of desired stores in request body. If ``all_stores`` is specified and image data