glance/api-ref/source/v2/metadefs-index.rst
Abhishek Kekane f8551de8c9 Make some metadef operations admin-only
This restricts all metadef resource manipulation to admin-only, but
still allow users to see everything. There are multiple low-grade
security issues with the metadef API, detailed in the related bug.
Restricting resource manipulation to admin-only solves most of these
concerns.

SecurityImpact
Depends-On: https://review.opendev.org/c/openstack/tempest/+/780108
Change-Id: I333c58e73c202c1f523030e54e03f2868459b595
Related-Bug: #1916926
2021-03-15 07:59:05 -07:00

2.7 KiB

tocdepth

3

Metadata Definitions Service API v2 (CURRENT)

Metadefs

General information

The Metadata Definitions Service ("metadefs", for short) provides a common API for vendors, operators, administrators, services, and users to meaningfully define available key:value pairs that can be used on different types of cloud resources (for example, images, artifacts, volumes, flavors, aggregates, and other resources).

To get you started, Glance contains a default catalog of metadefs that may be installed at your site; see the README in the code repository for details.

Once a common catalog of metadata definitions has been created, the catalog is available for querying through the API. Note that this service stores only the catalog, because metadefs are meta-metadata. Metadefs provide information about resource metadata, but do not themselves serve as actual metadata.

Actual key:value pairs are stored on the resources to which they apply using the metadata facilities provided by the appropriate API. (For example, the Images API would be used to put specific key:value pairs on a virtual machine image.)

A metadefs definition includes a property's key, its description, its constraints, and the resource types to which it can be associated. See Metadata Definition Concepts in the Glance Developer documentation for more information.

Note

By default, only admins can manipulate the data exposed by this API, but all users may list and show public resources. This changed from a default of "open to all" in the Wallaby release.