3 Commits

Author SHA1 Message Date
Matt Riedemann
dc9fb5842c Fix nits from trusted certs notification change
This is a follow up to address a few nits in change
Ib5b50a3889ab15d5aac992f92e9be372a915eeff.

Change-Id: I08ce4a9f5bb33761d8c5ff82ef9faf874ac97fcc
2018-06-15 08:34:12 -04:00
Brianna Poulos
e8ed9aacf8 Add notification support for trusted_certs
Add the 'trusted_image_certificates' field to InstanceCreatePayload
and InstanceActionRebuildPayload notifications.

Change-Id: Ib5b50a3889ab15d5aac992f92e9be372a915eeff
2018-06-14 16:16:00 +02:00
Brianna Poulos
8c7ca368b1 Add trusted_image_certificates to REST API
This change adds support for the trusted_image_certificates parameter,
which is used to define a list of trusted certificate IDs that can be
used during image signature verification and certificate validation. The
parameter may contain a list of strings, each string representing the ID
of a trusted certificate. The list is restricted to a maximum of 50 IDs.
The list of certificate IDs will be stored in the trusted_certs field of
the instance InstanceExtra and will be used to verify the validity of
the signing certificate of a signed instance image.

The trusted_image_certificates request parameter can be passed to
the server create and rebuild APIs (if allowed by policy):

* POST /servers
* POST /servers/{server_id}/action (rebuild)

The following policy rules were added to restrict the usage of the
``trusted_image_certificates`` request parameter in the server create
and rebuild APIs:

* os_compute_api:servers:create:trusted_certs
* os_compute_api:servers:rebuild:trusted_certs

The trusted_image_certificates parameter will be in the response
body of the following APIs (not restricted by policy):

* GET /servers/detail
* GET /servers/{server_id}
* PUT /servers/{server_id}
* POST /servers/{server_id}/action (rebuild)

APIImpact

Implements blueprint: nova-validate-certificates
Change-Id: Iedd3fea0e86648fae364f075915555dcb2c4f199
2018-06-13 15:52:59 -04:00