Revise import property injection plugin releasenote
Revise the releasenote from I98be97c42f23b60a72d520aad5f6078a96372c59 by reducing the release note to a summary and moving the details to the documentation (Glance Admin Guide). Co-authored-by: Bhagyashri Shewale <bhagyashri.shewale@nttdata.com> Co-authored-by: Brian Rosmaita <rosmaita.fossdev@gmail.com> Closes-bug: #1745124 Change-Id: Iaa3139fade75f1e3708dce8525f3571aba997589
This commit is contained in:
parent
7a718cf573
commit
49a1a0a02b
@ -127,3 +127,104 @@ specified in this list.
|
||||
.. _`Stevedore`: https://docs.openstack.org/stevedore
|
||||
.. _`Taskflow`: https://docs.openstack.org/taskflow
|
||||
.. _`Taskflow "Task" object`: https://docs.openstack.org/taskflow/latest/user/atoms.html#task
|
||||
|
||||
The Image Property Injection Plugin
|
||||
-----------------------------------
|
||||
.. list-table::
|
||||
|
||||
* - release introduced
|
||||
- Queens (Glance 16.0.0)
|
||||
* - configuration file
|
||||
- ``glance-image-import.conf``
|
||||
* - configuration file section
|
||||
- ``[inject_metadata_properties]``
|
||||
|
||||
This plugin implements the Glance spec `Inject metadata properties
|
||||
automatically to non-admin images`_. One use case for this plugin is a
|
||||
situation where an operator wants to put specific metadata on images imported
|
||||
by end users so that virtual machines booted from these images will be located
|
||||
on specific compute nodes. Since it's unlikely that an end user (the image
|
||||
owner) will know the appropriate properties or values, an operator may use
|
||||
this plugin to inject the properties automatically upon image import.
|
||||
|
||||
.. note::
|
||||
|
||||
This plugin may only be used as part of the interoperable image import
|
||||
workflow (``POST v2/images/{image_id}/import``). *It has no effect on the
|
||||
image data upload call* (``PUT v2/images/{image_id}/file``).
|
||||
|
||||
You can guarantee that your end users must use interoperable image import by
|
||||
restricting the ``upload_image`` policy appropriately in the Glance
|
||||
``policy.json`` file. By default, this policy is unrestricted (that is,
|
||||
any authorized user may make the image upload call).
|
||||
|
||||
For example, to allow only admin or service users to make the image upload
|
||||
call, the policy could be restricted as follows:
|
||||
|
||||
.. code-block:: text
|
||||
|
||||
"upload_image": "role:admin or (service_user_id:<uuid of nova user>) or
|
||||
(service_roles:<service user role>)"
|
||||
|
||||
where "service_role" is the role which is created for the service user
|
||||
and assigned to trusted services.
|
||||
|
||||
To use the Image Property Injection Plugin, the following configuration is
|
||||
required.
|
||||
|
||||
1. You will need to configure 'glance-image-import.conf' file as shown
|
||||
below:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[image_import_opts]
|
||||
image_import_plugins = [inject_image_metadata]
|
||||
|
||||
[inject_metadata_properties]
|
||||
ignore_user_roles = admin,...
|
||||
inject = "property1":"value1","property2":"value2",...
|
||||
|
||||
The first section, ``image_import_opts``, is used to enable the plugin by
|
||||
specifying the plugin name as one of the elements of the list that is the
|
||||
value of the `image_import_plugins` parameter. The plugin name is simply
|
||||
the module name under glance/async/flows/plugins/
|
||||
|
||||
The second section, ``inject_metadata_properties``, is where you set the
|
||||
parameters for the injection plugin. (Note that the values you specify here
|
||||
only have an effect if the plugin has been enabled in the
|
||||
``image_import_plugins`` list as described above.)
|
||||
|
||||
* ``ignore_user_roles`` is a comma-separated list of Keystone roles that the
|
||||
plugin will ignore. In other words, if the user making the image import
|
||||
call has any of these roles, the plugin will not inject any properties
|
||||
into the image.
|
||||
|
||||
* ``inject`` is a comma-separated list of properties and values that will be
|
||||
injected into the image record for the imported image. Each property and
|
||||
value should be quoted and separated by a colon (':') as shown in the
|
||||
example above.
|
||||
|
||||
2. If your use case is such that you don't want to allow end-users to create,
|
||||
modify, or delete metadata properties that you are injecting during the
|
||||
interoperable image import process, you will need to protect these
|
||||
properties using the Glance property protection feature (available since
|
||||
the Havana release).
|
||||
|
||||
For example, suppose there is a property named 'property1' that you want
|
||||
injected during import, but you only want an administrator or service user
|
||||
to be able to create this property, and you want only an administrator to be
|
||||
able to modify or delete it. You could accomplish this by adding the
|
||||
following to the property protection configuration file:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[property1]
|
||||
create = admin,service_role
|
||||
read = admin,service_role,member,_member_
|
||||
update = admin
|
||||
delete = admin
|
||||
|
||||
See the :ref:`property-protections` section of this Guide for more
|
||||
information.
|
||||
|
||||
.. _`Inject metadata properties automatically to non-admin images`: https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/inject-automatic-metadata.html
|
||||
|
@ -1,72 +1,30 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Made provision to inject image metadata properties to non-admin
|
||||
images during creation of image using 'image-import' API.
|
||||
Added a plugin to inject image metadata properties to non-admin
|
||||
images created via the interoperable image import process.
|
||||
|
||||
upgrade:
|
||||
- |
|
||||
- There are two methods to create images:
|
||||
Added a plugin to inject image metadata properties to non-admin
|
||||
images created via the interoperable image import process. This
|
||||
plugin implements the spec `Inject metadata properties automatically
|
||||
to non-admin images`_. See the spec for a discussion of the use case
|
||||
addressed by this plugin.
|
||||
|
||||
- Method A:
|
||||
Use of the plugin requires configuration as described in the
|
||||
`The Image Property Injection Plugin`_ section of the Glance Admin Guide.
|
||||
|
||||
.. code-block:: none
|
||||
Note that the plugin applies *only* to images imported via the
|
||||
`interoperable image import process`_. Thus images whose data is
|
||||
set using the `image data upload`_ call will *not* be processed by
|
||||
the plugin and hence will not have properties injected. You can
|
||||
force end users to use the interoperable image import process by
|
||||
restricting the data upload call, which is governed by the
|
||||
``upload_image`` policy in the Glance ``policy.json`` file. See
|
||||
the documentation for more information.
|
||||
|
||||
POST /v2/images
|
||||
PUT /v2/images/{image_id}/file
|
||||
|
||||
- Method B:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
POST /v2/images
|
||||
PUT /v2/images/{image_id}/stage
|
||||
POST /v2/images/{image_id}/import
|
||||
|
||||
The long term goal is to make end-users use Method B to create images
|
||||
and cross-services like Nova to use Method A until changes are made to
|
||||
use Method B. To restrict end-users from using Method A to create
|
||||
images, you will need to allow only admin or service users to call
|
||||
"upload_image" API as shown below.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
upload_image": "role:admin or (service_user_id:<uuid of nova user>) or
|
||||
(service_roles:<service user role>)"
|
||||
|
||||
"service_role" is the role which is created for the service user
|
||||
and assigned to the trusted services.
|
||||
|
||||
- To use this feature below configurations are required:
|
||||
|
||||
You will need to configure 'glance-image-import.conf' file as shown
|
||||
below:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
[image_import_opts]
|
||||
image_import_plugins = [inject_image_metadata]
|
||||
|
||||
[inject_metadata_properties]
|
||||
ignore_user_roles = admin,...
|
||||
inject = "property1":"value",...
|
||||
|
||||
The first section "image_import_opts" is used to enable/plug the task
|
||||
using `image_import_plugins` parameter by giving plugin name.
|
||||
Plugin name is nothing but the module name under
|
||||
glance/async/flows/plugins/
|
||||
|
||||
You don't want to allow end-users to create metadata properties
|
||||
you want to be injected automatically during creation of images.
|
||||
So, you will need to protect such metadata properties using
|
||||
property protection configuration file as shown below.
|
||||
Only admin or service user will be able to create metadata
|
||||
property 'property1'.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
[property1]
|
||||
create = admin,service_role
|
||||
read = admin,service_role,member,_member_
|
||||
update = admin
|
||||
delete = admin
|
||||
.. _`Inject metadata properties automatically to non-admin images`: https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/inject-automatic-metadata.html
|
||||
.. _`interoperable image import process`: https://developer.openstack.org/api-ref/image/v2/#interoperable-image-import
|
||||
.. _`The Image Property Injection Plugin`: https://docs.openstack.org/glance/latest/admin/interoperable-image-import.html#the-image-property-injection-plugin
|
||||
.. _`image data upload`: https://developer.openstack.org/api-ref/image/v2/#upload-binary-image-data
|
||||
|
Loading…
Reference in New Issue
Block a user