90 lines
3.9 KiB
YAML
90 lines
3.9 KiB
YAML
---
|
|
features:
|
|
- |
|
|
A new policy, ``tasks_api_access`` has been introduced so that ordinary
|
|
user credentials may be used by Glance to manage the tasks that accomplish
|
|
the interoperable image import process without requiring that operators
|
|
expose the Tasks API to end users.
|
|
upgrade:
|
|
- |
|
|
If you wish to enable the EXPERIMENTAL version 2.6 API that contains the
|
|
new interoperable image import functionality, set the configuration option
|
|
``enable_image_import`` to True in the glance-api.conf file. The default
|
|
value for this option is False.
|
|
|
|
The interoperable image import functionality uses the Glance tasks
|
|
engine. This is transparent to end users, as they do *not* use the
|
|
Tasks API for the interoperable image import workflow. The operator,
|
|
however, must make sure that the following configuration options
|
|
are set correctly.
|
|
|
|
- ``enable_image_import``
|
|
- ``node_staging_uri``
|
|
- the options in the ``[task]`` group
|
|
- the options in the ``[taskflow_executor]`` group
|
|
|
|
See the documentation in the sample glance-api.conf file for more
|
|
information.
|
|
|
|
Additionally, you will need to verify that the task-related policies
|
|
in the Glance policy.json file are set correctly. These settings are
|
|
described below.
|
|
|
|
- |
|
|
A new policy, ``tasks_api_access`` has been introduced so that ordinary
|
|
user credentials may be used by Glance to manage the tasks that accomplish
|
|
the interoperable image import process without requiring that operators
|
|
expose the Tasks API to end users.
|
|
|
|
The `Tasks API`_ was made admin-only by default in Mitaka by restricting
|
|
the following policy targets to **role:admin**: **get_task**,
|
|
**get_tasks**, **add_task**, and **modify_task**.
|
|
|
|
The new ``tasks_api_access`` policy target directly controls access to the
|
|
Tasks API, whereas targets just mentioned indirectly affect what can be
|
|
manipulated via the API by controlling what operations can be performed
|
|
on Glance's internal task objects. The key point is that if you want to
|
|
expose the new interoperable image import process to end users while
|
|
keeping the Tasks API admin-only, you can accomplish this by using the
|
|
following settings:
|
|
|
|
.. code-block:: none
|
|
|
|
"get_task": "",
|
|
"get_tasks": "",
|
|
"add_task": "",
|
|
"modify_task": "",
|
|
"tasks_api_access": "role:admin",
|
|
|
|
To summarize: end users do **not** need access to the Tasks API in
|
|
order to use the new interoperable image import process. They do,
|
|
however, need permission to access internal Glance task objects.
|
|
|
|
We recommend that all operators adopt the policy settings just
|
|
described independently of the decision whether to expose the
|
|
EXPERIMENTAL version 2.6 API.
|
|
|
|
.. _`Tasks API`: https://developer.openstack.org/api-ref/image/v2/index.html#tasks
|
|
|
|
security:
|
|
- |
|
|
A new policy, ``tasks_api_access`` has been introduced so that ordinary
|
|
user credentials may be used by Glance to manage the tasks that accomplish
|
|
the interoperable image import process without requiring that operators
|
|
expose the Tasks API to end users.
|
|
|
|
This is a good time to review your Glance ``policy.json`` file to make
|
|
sure that if it contains a ``default`` target, the rule is fairly
|
|
restrictive ("role:admin" or "!" are good choices). The ``default``
|
|
target is used when the policy engine cannot find the target it's
|
|
looking for. This can happen when a new policy is introduced but the
|
|
policy file in use is from a prior release.
|
|
other:
|
|
- |
|
|
The Image Service API Reference has been updated with a section on the
|
|
`Interoperable image import`_ process (also known as "image import
|
|
refactored") and the API calls that are exposed to implement it in
|
|
the EXPERIMENTAL v2.6 of the API.
|
|
|
|
.. _`Interoperable image import`: https://developer.openstack.org/api-ref/image/v2/index.html#interoperable-image-import
|