In set_property_atomic() we pass an integer query filter for the
deleted field, since most projects use an integer for this column.
However, in glance the column is a boolean, which trips up postgres
since the types are different (mysql and sqlite work fine). This
minor change to use False instead of 0 should fix that for postgres
users.
Change-Id: I5149df76943c1c19f3204b904c0e2d3ef846bdf7
Closes-Bug: #1953063
(cherry picked from commit 753c74c343ab4ef32879a3dd95c3a956af77f869)
(cherry picked from commit 316ce9659acdec0bc45f8a33825ae3b076199b24)
The new networkx requirement apparently causes us to fail the
test_init_copy_flow_as_non_owner test because a None value can not be
added to the flow graph. This just mocks out the glance_store call
that is failing to get the staging store to avoid us choking there
so we can proceed. We are just testing get_flow so we never use it
anyway.
Closes-Bug: #1959361
Change-Id: I6fcb14ad240105ed0b1b9086c6c6c95034b4dd42
(cherry picked from commit ded8ecf3828fa9afd7382f8ba850505ae0541e2c)
Since supporting only PY3 (Ussuri) Glance has not been supporting
termination of encrypted connection to the service [0]. The
section was left behind on the configuring doc.
[0] https://docs.openstack.org/releasenotes/glance/ussuri.html#security-issues
Change-Id: I9356bceb914327f526da7b727fa58522ae18856e
Closes-Bug: #1930597
(cherry picked from commit 652780d0299d5734cbc6d21eea74c4fd11797cd1)
This reverts commit 810417df865c7b4eb71cee4dfee843d65972852b.
The Swift driver not being able to use Trusts had nothing to do
about the store driver itself nor that keystoneauth1 would have
broken the feature, but rather it not having the functionality
in the first place and us not catching that on reviews.
We should figure out how to test this before we try to replace
this code again.
Change-Id: If12a013404296486dc387b099477d1608b24ba63
Closes-Bug: #1916052
(cherry picked from commit 9b683678b2a19bb1069aace58e054150a78b5f6f)
Removed the defaulting to roles part of the deprecation message.
Change-Id: I37d67457efdd8572d41cd839fb00c84f1f197892
Closes-Bug: #1934673
(cherry picked from commit 2d2817375296c7eff5594a092a8463dd31dbf4e4)
A slight error in the tasks_get_by_image() DB API method resulted in
our excluding in-progress tasks from the returned list. This is
because those tasks have expires_at=NULL, and we were comparing
the expires_at>=$NOW to find unexpired tasks. This makes us check for
"NULL or not expired" instead.
We did have a test asserting the wrong behavior, but it was done to
increase coverage and thus was asserting the behavior of the code and
not the *desired* behavior. This fixes that as well.
Closes-Bug: #1922928
Change-Id: I1b6971888673b64ef60bed8fbcc97bbcbcf5c2ac
(cherry picked from commit 2a0d2303c3346b3e771a40c0fe4d4dceaf16f992)
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/wallaby branch, tests will
continue to use the upper-constraints list on master.
Change-Id: I3343a1d50081bb00846b48782d47b066692c0e81
This just makes a trivial typo fix in the minor-code-changes doc.
Change-Id: If0093316c393b09ed4d936d2625b2d27024bfdbc
Co-Authored-By: Abhishek Kekane <akekane@redhat.com>
This restricts all metadef resource manipulation to admin-only, but
still allow users to see everything. There are multiple low-grade
security issues with the metadef API, detailed in the related bug.
Restricting resource manipulation to admin-only solves most of these
concerns.
SecurityImpact
Depends-On: https://review.opendev.org/c/openstack/tempest/+/780108
Change-Id: I333c58e73c202c1f523030e54e03f2868459b595
Related-Bug: #1916926
Provide some literature on what we introduced for operators in wallaby,
how they can configure it, and actions we recommend they take. Since
this marks the point at which we consider the feature implemented,
this also removes the legacy-rbac job and makes the secure-rbac job
voting.
Implements: blueprint secure-rbac
Change-Id: I8f980cf7731d26b92b5392fdada21e5be0f541c4
The wait_for_copying() helper will exit the loop if the *last*
store is found in the list, instead of *all* of them. This technically
works if the stores are processed in the same order we are checking,
but it's fragile and likely to fail in confusing ways.
This makes us only exit if all of them are present.
Change-Id: I8d9ba50f46e22b6740fdbdec6f8ef7c61dddbcf1
At one point, these policies were used to protect actual task API
endpoints. Since then, they have also been used internally within
glance when spawning a task on behalf of the user for long-running
operations (like import).
These policies should not apply to the internal usage, as doing so
prevents the operator from setting them to restrictive values in order
to provide granular access to some roles. In the future we will fix
that by moving those checks out of "the onion" and into the task API
operations themselves, thus decoupling the internal and external uses.
This adds documentation and scope definitions for these policies, as
well as deprecates the "modify_task" policy which is never used and
will be removed in the future. Control over the actual tasks API
remains coarse with the "tasks_api_access" policy until a future
release completes the above decoupling.
Implements: blueprint secure-rbac
Change-Id: I70a58acd78053b54187dba8e35273366f14c47a4
We've broken basic policies into granular checks with simple names and
we use them to construct more complex checks. In that process we
accidentally added some additional nesting to two of the check strings,
which isn't necessary.
This commit updates the check strings to remove an extra set of
parenthesis.
Change-Id: Iafa37d64a9779a3b646c34f328c62dfd6cd3e7f3
This commit updates the policies for image actions to use default roles
available from keystone. Specifically, we're updating the defaults to
user project-member and project-reader personas. The project-admin
persona is still reserved for administrative APIs access for system
administrators/operators. This will remain the case until we can
refactor portions of glance to make it easier to implement system-scope.
NOTE:
Glance is implementing Secure RBAC as EXPERIMENTAL in Wallaby, so to
enable it operator needs to set ``glance-api.conf [oslo_policy]
enforce_new_defaults=True`` and ``glance-api.conf
enforce_secure_rbac=True``
Implements: blueprint secure-rbac
Change-Id: If0c456617a9e17c006a6ffe2a83f4a73b53da3d0
This fixes the ImageStub in the test_cache_middleware module, which
does not implement enough of a real image to be usable in the next
patch where we need to dict() it. This does that refactor ahead of
time so that patch is smaller.
Change-Id: Ie86e0ae16c81fb7aa353dd350f0a4f3cf852d893
This commit updates glance's zuul configuration to tack on a job
dedicated to protecting API authroization. The tests for this job live
in glance-tempest-plugin and they currently test full support for
project-reader and project-admin against the images API.
Future changes will update the policies in glance to consume
system-scope and additional test coverage will be added to
glance-tempest-plugin. But, until that happens, having protection
testing as part of the check and gate jobs is vital to ensuring we don't
inadvertently expose sensitive information or APIs to users.
This level of testing will also be useful in the future if we decide to
refactor authorization logic out of various parts of glance and into a
consistent layer.
Depends-On: https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742
Change-Id: Iddee8144fb21b7ac2dec4e7fbc62c132c186fa89
This enables the g-api-r service in devstack, which allows tempest
to run the remote import test, causing it to stage and import an
image across two different workers. Note we disable it for the
standalone mode, since devstack does not support starting another
standalone glance.
Depends-On: https://review.opendev.org/c/openstack/devstack/+/770487
Depends-On: https://review.opendev.org/c/openstack/tempest/+/770520
Change-Id: Ica715fc1922f4b36dd0bb008ef6706b86115ec05
