1591f573ae
Implement URI filtering to prevent port scanning with the web-download Image import method. Closes-Bug: #1748512 Change-Id: Ide5ace8979bb12239c99a312747b3151c1e64ce8
230 lines
6.8 KiB
Plaintext
230 lines
6.8 KiB
Plaintext
[DEFAULT]
|
|
|
|
|
|
[image_import_opts]
|
|
|
|
#
|
|
# From glance
|
|
#
|
|
|
|
#
|
|
# Image import plugins to be enabled for task processing.
|
|
#
|
|
# Provide list of strings reflecting to the task Objects
|
|
# that should be included to the Image Import flow. The
|
|
# task objects needs to be defined in the 'glance/async/
|
|
# flows/plugins/*' and may be implemented by OpenStack
|
|
# Glance project team, deployer or 3rd party.
|
|
#
|
|
# By default no plugins are enabled and to take advantage
|
|
# of the plugin model the list of plugins must be set
|
|
# explicitly in the glance-image-import.conf file.
|
|
#
|
|
# The allowed values for this option is comma separated
|
|
# list of object names in between ``[`` and ``]``.
|
|
#
|
|
# Possible values:
|
|
# * no_op (only logs debug level message that the
|
|
# plugin has been executed)
|
|
# * Any provided Task object name to be included
|
|
# in to the flow.
|
|
# (list value)
|
|
#image_import_plugins = [no_op]
|
|
|
|
|
|
[import_filtering_opts]
|
|
|
|
#
|
|
# From glance
|
|
#
|
|
|
|
#
|
|
# Specify the allowed url schemes for web-download.
|
|
#
|
|
# This option provides whitelisting for uri schemes that web-download import
|
|
# method will be using. Whitelisting is always priority and ignores any
|
|
# blacklisting of the schemes but obeys host and port filtering.
|
|
#
|
|
# For example: If scheme blacklisting contains 'http' and whitelist contains
|
|
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
|
|
# other scheme like ftp://example.com is blocked even it's not blacklisted.
|
|
#
|
|
# Possible values:
|
|
# * List containing normalized url schemes as they are returned from
|
|
# urllib.parse. For example ['ftp','https']
|
|
#
|
|
# Related options:
|
|
# * disallowed_schemes
|
|
# * allowed_hosts
|
|
# * disallowed_hosts
|
|
# * allowed_ports
|
|
# * disallowed_ports
|
|
#
|
|
# (list value)
|
|
#allowed_schemes = http,https
|
|
|
|
#
|
|
# Specify the blacklisted url schemes for web-download.
|
|
#
|
|
# This option provides blacklisting for uri schemes that web-download import
|
|
# method will be using. Whitelisting is always priority and ignores any
|
|
# blacklisting of the schemes but obeys host and port filtering. Blacklisting
|
|
# can be used to prevent specific scheme to be used when whitelisting is not
|
|
# in use.
|
|
#
|
|
# For example: If scheme blacklisting contains 'http' and whitelist contains
|
|
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
|
|
# other scheme like ftp://example.com is blocked even it's not blacklisted.
|
|
#
|
|
# Possible values:
|
|
# * List containing normalized url schemes as they are returned from
|
|
# urllib.parse. For example ['ftp','https']
|
|
# * By default the list is empty
|
|
#
|
|
# Related options:
|
|
# * allowed_schemes
|
|
# * allowed_hosts
|
|
# * disallowed_hosts
|
|
# * allowed_ports
|
|
# * disallowed_ports
|
|
#
|
|
# (list value)
|
|
#disallowed_schemes =
|
|
|
|
#
|
|
# Specify the allowed target hosts for web-download.
|
|
#
|
|
# This option provides whitelisting for hosts that web-download import
|
|
# method will be using. Whitelisting is always priority and ignores any
|
|
# blacklisting of the hosts but obeys scheme and port filtering.
|
|
#
|
|
# For example: If scheme blacklisting contains 'http' and whitelist contains
|
|
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
|
|
# other scheme like ftp://example.com is blocked even it's not blacklisted.
|
|
# Same way the whitelisted example.com is only obeyed on the allowed schemes
|
|
# and or ports. Whitelisting of the host does not allow all schemes and ports
|
|
# accessed.
|
|
#
|
|
# Possible values:
|
|
# * List containing normalized hostname or ip like it would be returned
|
|
# in the urllib.parse netloc without the port
|
|
# * By default the list is empty
|
|
#
|
|
# Related options:
|
|
# * allowed_schemes
|
|
# * disallowed_schemes
|
|
# * disallowed_hosts
|
|
# * allowed_ports
|
|
# * disallowed_ports
|
|
#
|
|
# (list value)
|
|
#allowed_hosts =
|
|
|
|
#
|
|
# Specify the blacklisted hosts for web-download.
|
|
#
|
|
# This option provides blacklisting for hosts that web-download import
|
|
# method will be using. Whitelisting is always priority and ignores any
|
|
# blacklisting but obeys scheme and port filtering.
|
|
#
|
|
# For example: If scheme blacklisting contains 'http' and whitelist contains
|
|
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
|
|
# other scheme like ftp://example.com is blocked even it's not blacklisted.
|
|
# The blacklisted example.com is obeyed on any url pointing to that host
|
|
# regardless of what their scheme or port is.
|
|
#
|
|
# Possible values:
|
|
# * List containing normalized hostname or ip like it would be returned
|
|
# in the urllib.parse netloc without the port
|
|
# * By default the list is empty
|
|
#
|
|
# Related options:
|
|
# * allowed_schemes
|
|
# * disallowed_schemes
|
|
# * allowed_hosts
|
|
# * allowed_ports
|
|
# * disallowed_ports
|
|
#
|
|
# (list value)
|
|
#disallowed_hosts =
|
|
|
|
#
|
|
# Specify the allowed ports for web-download.
|
|
#
|
|
# This option provides whitelisting for uri ports that web-download import
|
|
# method will be using. Whitelisting is always priority and ignores any
|
|
# blacklisting of the ports but obeys host and scheme filtering.
|
|
#
|
|
# For example: If scheme blacklisting contains '80' and whitelist contains
|
|
# ['80', '443'] the whitelist is obeyed on http://example.com:80 but any
|
|
# other port like ftp://example.com:21 is blocked even it's not blacklisted.
|
|
#
|
|
# Possible values:
|
|
# * List containing ports as they are returned from urllib.parse netloc
|
|
# field. For example ['80','443']
|
|
#
|
|
# Related options:
|
|
# * allowed_schemes
|
|
# * disallowed_schemes
|
|
# * allowed_hosts
|
|
# * disallowed_hosts
|
|
# * disallowed_ports
|
|
# (list value)
|
|
#allowed_ports = 80,443
|
|
|
|
#
|
|
# Specify the disallowed ports for web-download.
|
|
#
|
|
# This option provides blacklisting for uri ports that web-download import
|
|
# method will be using. Whitelisting is always priority and ignores any
|
|
# blacklisting of the ports but obeys host and scheme filtering.
|
|
#
|
|
# For example: If scheme blacklisting contains '80' and whitelist contains
|
|
# ['80', '443'] the whitelist is obeyed on http://example.com:80 but any
|
|
# other port like ftp://example.com:21 is blocked even it's not blacklisted.
|
|
# If no whitelisting is defined any scheme and host combination is disallowed
|
|
# for the blacklisted port.
|
|
#
|
|
# Possible values:
|
|
# * List containing ports as they are returned from urllib.parse netloc
|
|
# field. For example ['80','443']
|
|
# * By default this list is empty.
|
|
#
|
|
# Related options:
|
|
# * allowed_schemes
|
|
# * disallowed_schemes
|
|
# * allowed_hosts
|
|
# * disallowed_hosts
|
|
# * allowed_ports
|
|
#
|
|
# (list value)
|
|
#disallowed_ports =
|
|
|
|
|
|
[inject_metadata_properties]
|
|
|
|
#
|
|
# From glance
|
|
#
|
|
|
|
#
|
|
# Specify name of user roles to be ignored for injecting metadata
|
|
# properties in the image.
|
|
#
|
|
# Possible values:
|
|
# * List containing user roles. For example: [admin,member]
|
|
#
|
|
# (list value)
|
|
#ignore_user_roles = admin
|
|
|
|
#
|
|
# Dictionary contains metadata properties to be injected in image.
|
|
#
|
|
# Possible values:
|
|
# * Dictionary containing key/value pairs. Key characters
|
|
# length should be <= 255. For example: k1:v1,k2:v2
|
|
#
|
|
#
|
|
# (dict value)
|
|
#inject =
|