Image properties and property protection

Image properties and property protection An image property is a key and value pair that the cloud administrator or the image owner attaches to an OpenStack Image Service image, as follows: The cloud administrator defines core properties, such as the image name. The cloud administrator and the image owner can define additional properties, such as licensing and billing information. The cloud administrator can configure any property as protected, which limits which policies or user roles can perform CRUD operations on that property. Protected properties are generally additional properties to which only cloud administrators have access. For unprotected image properties, the cloud administrator can manage core properties and the image owner can manage additional properties. To configure property protection To configure property protection, the cloud administrator completes these steps: Define roles or policies in the policy.json file: For each parameter, use "rule:restricted" to restrict access to all users or "role:admin" to limit access to administrator roles. For example: "download_image": "rule:restricted" "upload_image": "role:admin" Define which roles or policies can manage which properties in a property protections configuration file. For example: [x_none_read] create = context_is_admin read = ! update = ! delete = ! [x_none_update] create = context_is_admin read = context_is_admin update = ! delete = context_is_admin [x_none_delete] create = context_is_admin read = context_is_admin update = context_is_admin delete = ! A value of @ allows the corresponding operation for a property. A value of ! disallows the corresponding operation for a property. In the glance-api.conf file, define the location of a property protections configuration file: property_protection_file = {file_name} This file contains the rules for property protections and the roles and policies associated with it. By default, property protections are not enforced. If you specify a file name value and the file is not found, the glance-api service does not start. To view a sample configuration file, see glance-api.conf. Optionally, in the glance-api.conf file, specify whether roles or policies are used in the property protections configuration file: property_protection_rule_format = roles The default is roles. To view a sample configuration file, see glance-api.conf.