openstack/ironic
Code Issues Proposed changes

Merge "Add ignore_project_check_for_admin_tasks config option"

Browse Source
This commit is contained in:
Zuul
2025-03-13 21:50:41 +00:00
committed by Gerrit Code Review
parent 88a56cbe81 1dbb501cd1
commit e2fd3af494
3 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ironic/common/glance_service/service_utils.py
View File

@@ -22,7 +22,7 @@ from oslo_utils import timeutils
from oslo_utils import uuidutils
from ironic.common import exception
from ironic.conf import CONF
_IMAGE_ATTRIBUTES = ['size', 'disk_format', 'owner',
'container_format', 'checksum', 'id',
@@ -127,6 +127,7 @@ def is_image_available(context, image):
image_visibility = getattr(image, 'visibility', None)
image_owner = getattr(image, 'owner', None)
image_id = getattr(image, 'id', 'unknown')
is_admin = 'admin' in getattr(context, 'roles', [])
project_id = getattr(context, 'project_id', None)
project = getattr(context, 'project', 'unknown')
# The presence of an auth token implies this is an authenticated
@@ -142,6 +143,9 @@ def is_image_available(context, image):
if project_id and image_owner == project_id:
return True
if is_admin and CONF.ignore_project_check_for_admin_tasks:
return True
LOG.info(
'Access to %s owned by %s denied to requester %s',
image_id, image_owner, project

6
ironic/conf/default.py
View File

@@ -69,6 +69,12 @@ api_opts = [
default='/etc/ironic/htpasswd',
help=_('Path to Apache format user authentication file used '
'when auth_strategy=http_basic')),
cfg.BoolOpt(
'ignore_project_check_for_admin_tasks',
default=True,
help=_('If True, allows admin tasks to access image without'
'matching project_id')
),
cfg.BoolOpt('debug_tracebacks_in_api',
default=False,
help=_('Return server tracebacks in the API response for any '

4
releasenotes/notes/add_ignore_project_check_for_admin_tasks-54007fb30017296f.yaml Normal file
View File

@@ -0,0 +1,4 @@
---
features:
- If `ignore_project_check_for_admin_tasks` is set to `True`, the system will check if the requester
is an admin for verifying image availability, bypassing the project check for administrative tasks.