openstack/glance
Code Issues Proposed changes

Merge "Revise import property injection plugin releasenote"

Browse Source
This commit is contained in:
Zuul 2018-02-08 07:01:10 +00:00 committed by Gerrit Code Review
commit 55fa35963a
2 changed files with 122 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
doc/source/admin/interoperable-image-import.rst
View File

@ -127,3 +127,104 @@ specified in this list.
.. _`Stevedore`: https://docs.openstack.org/stevedore .. _`Stevedore`: https://docs.openstack.org/stevedore
.. _`Taskflow`: https://docs.openstack.org/taskflow .. _`Taskflow`: https://docs.openstack.org/taskflow
.. _`Taskflow "Task" object`: https://docs.openstack.org/taskflow/latest/user/atoms.html#task .. _`Taskflow "Task" object`: https://docs.openstack.org/taskflow/latest/user/atoms.html#task
The Image Property Injection Plugin
-----------------------------------
.. list-table::
* - release introduced
- Queens (Glance 16.0.0)
* - configuration file
- ``glance-image-import.conf``
* - configuration file section
- ``[inject_metadata_properties]``
This plugin implements the Glance spec `Inject metadata properties
automatically to non-admin images`_. One use case for this plugin is a
situation where an operator wants to put specific metadata on images imported
by end users so that virtual machines booted from these images will be located
on specific compute nodes. Since it's unlikely that an end user (the image
owner) will know the appropriate properties or values, an operator may use
this plugin to inject the properties automatically upon image import.
.. note::
This plugin may only be used as part of the interoperable image import
workflow (``POST v2/images/{image_id}/import``). *It has no effect on the
image data upload call* (``PUT v2/images/{image_id}/file``).
You can guarantee that your end users must use interoperable image import by
restricting the ``upload_image`` policy appropriately in the Glance
``policy.json`` file. By default, this policy is unrestricted (that is,
any authorized user may make the image upload call).
For example, to allow only admin or service users to make the image upload
call, the policy could be restricted as follows:
.. code-block:: text
"upload_image": "role:admin or (service_user_id:<uuid of nova user>) or
(service_roles:<service user role>)"
where "service_role" is the role which is created for the service user
and assigned to trusted services.
To use the Image Property Injection Plugin, the following configuration is
required.
1. You will need to configure 'glance-image-import.conf' file as shown
below:
.. code-block:: ini
[image_import_opts]
image_import_plugins = [inject_image_metadata]
[inject_metadata_properties]
ignore_user_roles = admin,...
inject = "property1":"value1","property2":"value2",...
The first section, ``image_import_opts``, is used to enable the plugin by
specifying the plugin name as one of the elements of the list that is the
value of the `image_import_plugins` parameter. The plugin name is simply
the module name under glance/async/flows/plugins/
The second section, ``inject_metadata_properties``, is where you set the
parameters for the injection plugin. (Note that the values you specify here
only have an effect if the plugin has been enabled in the
``image_import_plugins`` list as described above.)
* ``ignore_user_roles`` is a comma-separated list of Keystone roles that the
plugin will ignore. In other words, if the user making the image import
call has any of these roles, the plugin will not inject any properties
into the image.
* ``inject`` is a comma-separated list of properties and values that will be
injected into the image record for the imported image. Each property and
value should be quoted and separated by a colon (':') as shown in the
example above.
2. If your use case is such that you don't want to allow end-users to create,
modify, or delete metadata properties that you are injecting during the
interoperable image import process, you will need to protect these
properties using the Glance property protection feature (available since
the Havana release).
For example, suppose there is a property named 'property1' that you want
injected during import, but you only want an administrator or service user
to be able to create this property, and you want only an administrator to be
able to modify or delete it. You could accomplish this by adding the
following to the property protection configuration file:
.. code-block:: ini
[property1]
create = admin,service_role
read = admin,service_role,member,_member_
update = admin
delete = admin
See the :ref:`property-protections` section of this Guide for more
information.
.. _`Inject metadata properties automatically to non-admin images`: https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/inject-automatic-metadata.html

84
releasenotes/notes/bp-inject-image-metadata-0a08af539bcce7f2.yaml
View File

@ -1,72 +1,30 @@
--- ---
features: features:
- | - |
Made provision to inject image metadata properties to non-admin Added a plugin to inject image metadata properties to non-admin
images during creation of image using 'image-import' API. images created via the interoperable image import process.
upgrade: upgrade:
- | - |
- There are two methods to create images: Added a plugin to inject image metadata properties to non-admin
images created via the interoperable image import process. This
plugin implements the spec `Inject metadata properties automatically
to non-admin images`_. See the spec for a discussion of the use case
addressed by this plugin.
- Method A: Use of the plugin requires configuration as described in the
`The Image Property Injection Plugin`_ section of the Glance Admin Guide.
.. code-block:: none Note that the plugin applies *only* to images imported via the
`interoperable image import process`_. Thus images whose data is
set using the `image data upload`_ call will *not* be processed by
the plugin and hence will not have properties injected. You can
force end users to use the interoperable image import process by
restricting the data upload call, which is governed by the
``upload_image`` policy in the Glance ``policy.json`` file. See
the documentation for more information.
POST /v2/images .. _`Inject metadata properties automatically to non-admin images`: https://specs.openstack.org/openstack/glance-specs/specs/queens/approved/glance/inject-automatic-metadata.html
PUT /v2/images/{image_id}/file .. _`interoperable image import process`: https://developer.openstack.org/api-ref/image/v2/#interoperable-image-import
.. _`The Image Property Injection Plugin`: https://docs.openstack.org/glance/latest/admin/interoperable-image-import.html#the-image-property-injection-plugin
- Method B: .. _`image data upload`: https://developer.openstack.org/api-ref/image/v2/#upload-binary-image-data
.. code-block:: none
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
The long term goal is to make end-users use Method B to create images
and cross-services like Nova to use Method A until changes are made to
use Method B. To restrict end-users from using Method A to create
images, you will need to allow only admin or service users to call
"upload_image" API as shown below.
.. code-block:: none
upload_image": "role:admin or (service_user_id:<uuid of nova user>) or
(service_roles:<service user role>)"
"service_role" is the role which is created for the service user
and assigned to the trusted services.
- To use this feature below configurations are required:
You will need to configure 'glance-image-import.conf' file as shown
below:
.. code-block:: none
[image_import_opts]
image_import_plugins = [inject_image_metadata]
[inject_metadata_properties]
ignore_user_roles = admin,...
inject = "property1":"value",...
The first section "image_import_opts" is used to enable/plug the task
using `image_import_plugins` parameter by giving plugin name.
Plugin name is nothing but the module name under
glance/async/flows/plugins/
You don't want to allow end-users to create metadata properties
you want to be injected automatically during creation of images.
So, you will need to protect such metadata properties using
property protection configuration file as shown below.
Only admin or service user will be able to create metadata
property 'property1'.
.. code-block:: none
[property1]
create = admin,service_role
read = admin,service_role,member,_member_
update = admin
delete = admin