Revise import property injection plugin releasenote

Revise the releasenote from I98be97c42f23b60a72d520aad5f6078a96372c59 by reducing the release note to a summary and moving the details to the documentation (Glance Admin Guide). Co-authored-by: Bhagyashri Shewale <bhagyashri.shewale@nttdata.com> Co-authored-by: Brian Rosmaita <rosmaita.fossdev@gmail.com> Closes-bug: #1745124 Change-Id: Iaa3139fade75f1e3708dce8525f3571aba997589
2018-02-07 20:23:40 -05:00 · 2018-02-07 20:23:40 -05:00 · 49a1a0a02b
parent 7a718cf573
commit 49a1a0a02b
2 changed files with 122 additions and 63 deletions
--- a/doc/source/admin/interoperable-image-import.rst
+++ b/doc/source/admin/interoperable-image-import.rst
@ -127,3 +127,104 @@ specified in this list.
 .. _`Stevedore`: https://docs.openstack.org/stevedore
 .. _`Taskflow`: https://docs.openstack.org/taskflow
 .. _`Taskflow "Task" object`: https://docs.openstack.org/taskflow/latest/user/atoms.html#task
+
+The Image Property Injection Plugin
+-----------------------------------
+.. list-table::
+
+   * - release introduced
+     - Queens (Glance 16.0.0)
+   * - configuration file
+     - ``glance-image-import.conf``
+   * - configuration file section
+     - ``[inject_metadata_properties]``
+
+This plugin implements the Glance spec `Inject metadata properties
+automatically to non-admin images`_.  One use case for this plugin is a
+situation where an operator wants to put specific metadata on images imported
+by end users so that virtual machines booted from these images will be located
+on specific compute nodes.  Since it's unlikely that an end user (the image
+owner) will know the appropriate properties or values, an operator may use
+this plugin to inject the properties automatically upon image import.
+
+.. note::
+
+   This plugin may only be used as part of the interoperable image import
+   workflow (``POST v2/images/{image_id}/import``).  *It has no effect on the
+   image data upload call* (``PUT v2/images/{image_id}/file``).
+
+   You can guarantee that your end users must use interoperable image import by
+   restricting the ``upload_image`` policy appropriately in the Glance
+   ``policy.json`` file.  By default, this policy is unrestricted (that is,
+   any authorized user may make the image upload call).
+
+   For example, to allow only admin or service users to make the image upload
+   call, the policy could be restricted as follows:
+
+   .. code-block:: text
+
+      "upload_image": "role:admin or (service_user_id:<uuid of nova user>) or
+         (service_roles:<service user role>)"
+
+   where "service_role" is the role which is created for the service user
+   and assigned to trusted services.
+
+To use the Image Property Injection Plugin, the following configuration is
+required.
+
+1. You will need to configure 'glance-image-import.conf' file as shown
+   below:
+
+   .. code-block:: ini
+
+       [image_import_opts]
+       image_import_plugins = [inject_image_metadata]
+
+       [inject_metadata_properties]
+       ignore_user_roles = admin,...
+       inject = "property1":"value1","property2":"value2",...
+
+   The first section, ``image_import_opts``, is used to enable the plugin by
+   specifying the plugin name as one of the elements of the list that is the
+   value of the `image_import_plugins` parameter.  The plugin name is simply
+   the module name under glance/async/flows/plugins/
+
+   The second section, ``inject_metadata_properties``, is where you set the
+   parameters for the injection plugin.  (Note that the values you specify here
+   only have an effect if the plugin has been enabled in the
+   ``image_import_plugins`` list as described above.)
+
+   * ``ignore_user_roles`` is a comma-separated list of Keystone roles that the
+     plugin will ignore.  In other words, if the user making the image import
+     call has any of these roles, the plugin will not inject any properties
+     into the image.
+
+   * ``inject`` is a comma-separated list of properties and values that will be
+     injected into the image record for the imported image.  Each property and
+     value should be quoted and separated by a colon (':') as shown in the
+     example above.
+
+2. If your use case is such that you don't want to allow end-users to create,
+   modify, or delete metadata properties that you are injecting during the
+   interoperable image import process, you will need to protect these
+   properties using the Glance property protection feature (available since
+   the Havana release).
+
+   For example, suppose there is a property named 'property1' that you want
+   injected during import, but you only want an administrator or service user
+   to be able to create this property, and you want only an administrator to be
+   able to modify or delete it.  You could accomplish this by adding the
+   following to the property protection configuration file:
+
+   .. code-block:: ini
+
+       [property1]
+       create = admin,service_role
+       read = admin,service_role,member,_member_
+       update = admin
+       delete = admin
+
+   See the :ref:`property-protections` section of this Guide for more
+   information.
+
+.. _`Inject metadata properties automatically to non-admin images`: https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/inject-automatic-metadata.html
--- a/releasenotes/notes/bp-inject-image-metadata-0a08af539bcce7f2.yaml
+++ b/releasenotes/notes/bp-inject-image-metadata-0a08af539bcce7f2.yaml
@ -1,72 +1,30 @@
 ---
 features:
  - |
-    Made provision to inject image metadata properties to non-admin
-    images during creation of image using 'image-import' API.
+    Added a plugin to inject image metadata properties to non-admin
+    images created via the interoperable image import process.

 upgrade:
  - |
-    - There are two methods to create images:
+    Added a plugin to inject image metadata properties to non-admin
+    images created via the interoperable image import process.  This
+    plugin implements the spec `Inject metadata properties automatically
+    to non-admin images`_.  See the spec for a discussion of the use case
+    addressed by this plugin.

-      - Method A:
+    Use of the plugin requires configuration as described in the
+    `The Image Property Injection Plugin`_ section of the Glance Admin Guide.

-         .. code-block:: none
+    Note that the plugin applies *only* to images imported via the
+    `interoperable image import process`_.  Thus images whose data is
+    set using the `image data upload`_ call will *not* be processed by
+    the plugin and hence will not have properties injected.  You can
+    force end users to use the interoperable image import process by
+    restricting the data upload call, which is governed by the
+    ``upload_image`` policy in the Glance ``policy.json`` file.  See
+    the documentation for more information.

-            POST /v2/images
-            PUT /v2/images/{image_id}/file
-
-      - Method B:
-
-         .. code-block:: none
-
-            POST /v2/images
-            PUT /v2/images/{image_id}/stage
-            POST /v2/images/{image_id}/import
-
-      The long term goal is to make end-users use Method B to create images
-      and cross-services like Nova to use Method A until changes are made to
-      use Method B. To restrict end-users from using Method A to create
-      images, you will need to allow only admin or service users to call
-      "upload_image" API as shown below.
-
-      .. code-block:: none
-
-         upload_image": "role:admin or (service_user_id:<uuid of nova user>) or
-         (service_roles:<service user role>)"
-
-      "service_role" is the role which is created for the service user
-      and assigned to the trusted services.
-
-    - To use this feature below configurations are required:
-
-      You will need to configure 'glance-image-import.conf' file as shown
-      below:
-
-      .. code-block:: none
-
-         [image_import_opts]
-         image_import_plugins = [inject_image_metadata]
-
-         [inject_metadata_properties]
-         ignore_user_roles = admin,...
-         inject = "property1":"value",...
-
-      The first section "image_import_opts" is used to enable/plug the task
-      using `image_import_plugins` parameter by giving plugin name.
-      Plugin name is nothing but the module name under
-      glance/async/flows/plugins/
-
-      You don't want to allow end-users to create metadata properties
-      you want to be injected automatically during creation of images.
-      So, you will need to protect such metadata properties using
-      property protection configuration file as shown below.
-      Only admin or service user will be able to create metadata
-      property 'property1'.
-
-      .. code-block:: none
-
-         [property1]
-         create = admin,service_role
-         read = admin,service_role,member,_member_
-         update = admin
-         delete = admin
+    .. _`Inject metadata properties automatically to non-admin images`: https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/inject-automatic-metadata.html
+    .. _`interoperable image import process`: https://developer.openstack.org/api-ref/image/v2/#interoperable-image-import
+    .. _`The Image Property Injection Plugin`: https://docs.openstack.org/glance/latest/admin/interoperable-image-import.html#the-image-property-injection-plugin
+    .. _`image data upload`: https://developer.openstack.org/api-ref/image/v2/#upload-binary-image-data