glance/etc/glance-image-import.conf.sample
Erno Kuvaja 1591f573ae URI filtering for web-download
Implement URI filtering to prevent port scanning with the web-download
Image import method.

Closes-Bug: #1748512

Change-Id: Ide5ace8979bb12239c99a312747b3151c1e64ce8
2018-02-15 15:36:28 +00:00

230 lines
6.8 KiB
Plaintext

[DEFAULT]
[image_import_opts]
#
# From glance
#
#
# Image import plugins to be enabled for task processing.
#
# Provide list of strings reflecting to the task Objects
# that should be included to the Image Import flow. The
# task objects needs to be defined in the 'glance/async/
# flows/plugins/*' and may be implemented by OpenStack
# Glance project team, deployer or 3rd party.
#
# By default no plugins are enabled and to take advantage
# of the plugin model the list of plugins must be set
# explicitly in the glance-image-import.conf file.
#
# The allowed values for this option is comma separated
# list of object names in between ``[`` and ``]``.
#
# Possible values:
# * no_op (only logs debug level message that the
# plugin has been executed)
# * Any provided Task object name to be included
# in to the flow.
# (list value)
#image_import_plugins = [no_op]
[import_filtering_opts]
#
# From glance
#
#
# Specify the allowed url schemes for web-download.
#
# This option provides whitelisting for uri schemes that web-download import
# method will be using. Whitelisting is always priority and ignores any
# blacklisting of the schemes but obeys host and port filtering.
#
# For example: If scheme blacklisting contains 'http' and whitelist contains
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
# other scheme like ftp://example.com is blocked even it's not blacklisted.
#
# Possible values:
# * List containing normalized url schemes as they are returned from
# urllib.parse. For example ['ftp','https']
#
# Related options:
# * disallowed_schemes
# * allowed_hosts
# * disallowed_hosts
# * allowed_ports
# * disallowed_ports
#
# (list value)
#allowed_schemes = http,https
#
# Specify the blacklisted url schemes for web-download.
#
# This option provides blacklisting for uri schemes that web-download import
# method will be using. Whitelisting is always priority and ignores any
# blacklisting of the schemes but obeys host and port filtering. Blacklisting
# can be used to prevent specific scheme to be used when whitelisting is not
# in use.
#
# For example: If scheme blacklisting contains 'http' and whitelist contains
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
# other scheme like ftp://example.com is blocked even it's not blacklisted.
#
# Possible values:
# * List containing normalized url schemes as they are returned from
# urllib.parse. For example ['ftp','https']
# * By default the list is empty
#
# Related options:
# * allowed_schemes
# * allowed_hosts
# * disallowed_hosts
# * allowed_ports
# * disallowed_ports
#
# (list value)
#disallowed_schemes =
#
# Specify the allowed target hosts for web-download.
#
# This option provides whitelisting for hosts that web-download import
# method will be using. Whitelisting is always priority and ignores any
# blacklisting of the hosts but obeys scheme and port filtering.
#
# For example: If scheme blacklisting contains 'http' and whitelist contains
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
# other scheme like ftp://example.com is blocked even it's not blacklisted.
# Same way the whitelisted example.com is only obeyed on the allowed schemes
# and or ports. Whitelisting of the host does not allow all schemes and ports
# accessed.
#
# Possible values:
# * List containing normalized hostname or ip like it would be returned
# in the urllib.parse netloc without the port
# * By default the list is empty
#
# Related options:
# * allowed_schemes
# * disallowed_schemes
# * disallowed_hosts
# * allowed_ports
# * disallowed_ports
#
# (list value)
#allowed_hosts =
#
# Specify the blacklisted hosts for web-download.
#
# This option provides blacklisting for hosts that web-download import
# method will be using. Whitelisting is always priority and ignores any
# blacklisting but obeys scheme and port filtering.
#
# For example: If scheme blacklisting contains 'http' and whitelist contains
# ['http', 'https'] the whitelist is obeyed on http://example.com but any
# other scheme like ftp://example.com is blocked even it's not blacklisted.
# The blacklisted example.com is obeyed on any url pointing to that host
# regardless of what their scheme or port is.
#
# Possible values:
# * List containing normalized hostname or ip like it would be returned
# in the urllib.parse netloc without the port
# * By default the list is empty
#
# Related options:
# * allowed_schemes
# * disallowed_schemes
# * allowed_hosts
# * allowed_ports
# * disallowed_ports
#
# (list value)
#disallowed_hosts =
#
# Specify the allowed ports for web-download.
#
# This option provides whitelisting for uri ports that web-download import
# method will be using. Whitelisting is always priority and ignores any
# blacklisting of the ports but obeys host and scheme filtering.
#
# For example: If scheme blacklisting contains '80' and whitelist contains
# ['80', '443'] the whitelist is obeyed on http://example.com:80 but any
# other port like ftp://example.com:21 is blocked even it's not blacklisted.
#
# Possible values:
# * List containing ports as they are returned from urllib.parse netloc
# field. For example ['80','443']
#
# Related options:
# * allowed_schemes
# * disallowed_schemes
# * allowed_hosts
# * disallowed_hosts
# * disallowed_ports
# (list value)
#allowed_ports = 80,443
#
# Specify the disallowed ports for web-download.
#
# This option provides blacklisting for uri ports that web-download import
# method will be using. Whitelisting is always priority and ignores any
# blacklisting of the ports but obeys host and scheme filtering.
#
# For example: If scheme blacklisting contains '80' and whitelist contains
# ['80', '443'] the whitelist is obeyed on http://example.com:80 but any
# other port like ftp://example.com:21 is blocked even it's not blacklisted.
# If no whitelisting is defined any scheme and host combination is disallowed
# for the blacklisted port.
#
# Possible values:
# * List containing ports as they are returned from urllib.parse netloc
# field. For example ['80','443']
# * By default this list is empty.
#
# Related options:
# * allowed_schemes
# * disallowed_schemes
# * allowed_hosts
# * disallowed_hosts
# * allowed_ports
#
# (list value)
#disallowed_ports =
[inject_metadata_properties]
#
# From glance
#
#
# Specify name of user roles to be ignored for injecting metadata
# properties in the image.
#
# Possible values:
# * List containing user roles. For example: [admin,member]
#
# (list value)
#ignore_user_roles = admin
#
# Dictionary contains metadata properties to be injected in image.
#
# Possible values:
# * Dictionary containing key/value pairs. Key characters
# length should be <= 255. For example: k1:v1,k2:v2
#
#
# (dict value)
#inject =