Make the task's API admin only by default

One of the goals of this spec is to improve the image import process and
allow for other background operations to be executed when the image data
is added. This supersedes the need of the task endpoint that we'll
slowly deprecate. As part of this spec, we should make it admin only and
warn deployers that this API is going to be deprecated.

MitakaPriority
DocImpact: Tasks API is now admin only. Deployments depending on this
    API need to make sure they make it accessible for non-admins.
Closes-bug: #1527716
Partially-blueprint: image-import-refactor
Change-Id: I28cb69ea730ae58b9aed1dd43b68305dbbf132c1
This commit is contained in:
Flavio Percoco 2016-01-08 16:38:49 -04:30 committed by Flavio Percoco
parent bdee4bbbed
commit 8f0d6ea9c5
5 changed files with 43 additions and 9 deletions

View File

@ -25,10 +25,10 @@
"manage_image_cache": "role:admin", "manage_image_cache": "role:admin",
"get_task": "", "get_task": "role:admin",
"get_tasks": "", "get_tasks": "role:admin",
"add_task": "", "add_task": "role:admin",
"modify_task": "", "modify_task": "role:admin",
"deactivate": "", "deactivate": "",
"reactivate": "", "reactivate": "",

View File

@ -16,6 +16,7 @@
import copy import copy
import debtcollector
import glance_store import glance_store
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log as logging from oslo_log import log as logging
@ -42,6 +43,14 @@ LOG = logging.getLogger(__name__)
CONF = cfg.CONF CONF = cfg.CONF
CONF.import_opt('task_time_to_live', 'glance.common.config', group='task') CONF.import_opt('task_time_to_live', 'glance.common.config', group='task')
_DEPRECATION_MESSAGE = ("The task API is being deprecated and "
"it will be superseded by the new image import "
"API. Please refer to this link for more "
"information about the aforementioned process: "
"https://specs.openstack.org/openstack/glance-specs/"
"specs/mitaka/approved/image-import/"
"image-import-refactor.html")
class TasksController(object): class TasksController(object):
"""Manages operations on tasks.""" """Manages operations on tasks."""
@ -55,6 +64,7 @@ class TasksController(object):
self.gateway = glance.gateway.Gateway(self.db_api, self.store_api, self.gateway = glance.gateway.Gateway(self.db_api, self.store_api,
self.notifier, self.policy) self.notifier, self.policy)
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
def create(self, req, task): def create(self, req, task):
task_factory = self.gateway.get_task_factory(req.context) task_factory = self.gateway.get_task_factory(req.context)
executor_factory = self.gateway.get_task_executor_factory(req.context) executor_factory = self.gateway.get_task_executor_factory(req.context)
@ -74,6 +84,7 @@ class TasksController(object):
raise webob.exc.HTTPForbidden(explanation=e.msg) raise webob.exc.HTTPForbidden(explanation=e.msg)
return new_task return new_task
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
def index(self, req, marker=None, limit=None, sort_key='created_at', def index(self, req, marker=None, limit=None, sort_key='created_at',
sort_dir='desc', filters=None): sort_dir='desc', filters=None):
result = {} result = {}
@ -101,6 +112,7 @@ class TasksController(object):
result['tasks'] = tasks result['tasks'] = tasks
return result return result
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
def get(self, req, task_id): def get(self, req, task_id):
try: try:
task_repo = self.gateway.get_task_repo(req.context) task_repo = self.gateway.get_task_repo(req.context)
@ -120,6 +132,7 @@ class TasksController(object):
raise webob.exc.HTTPForbidden(explanation=e.msg) raise webob.exc.HTTPForbidden(explanation=e.msg)
return task return task
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
def delete(self, req, task_id): def delete(self, req, task_id):
msg = (_("This operation is currently not permitted on Glance Tasks. " msg = (_("This operation is currently not permitted on Glance Tasks. "
"They are auto deleted after reaching the time based on " "They are auto deleted after reaching the time based on "

View File

@ -26,10 +26,10 @@
"manage_image_cache": "", "manage_image_cache": "",
"get_task": "", "get_task": "role:admin",
"get_tasks": "", "get_tasks": "role:admin",
"add_task": "", "add_task": "role:admin",
"modify_task": "", "modify_task": "role:admin",
"get_metadef_namespace": "", "get_metadef_namespace": "",
"get_metadef_namespaces":"", "get_metadef_namespaces":"",

View File

@ -44,11 +44,19 @@ class TestTasks(functional.FunctionalTest):
'X-Auth-Token': '932c5c84-02ac-4fe5-a9ba-620af0e2bb96', 'X-Auth-Token': '932c5c84-02ac-4fe5-a9ba-620af0e2bb96',
'X-User-Id': 'f9a41d13-0c13-47e9-bee2-ce4e8bfe958e', 'X-User-Id': 'f9a41d13-0c13-47e9-bee2-ce4e8bfe958e',
'X-Tenant-Id': TENANT1, 'X-Tenant-Id': TENANT1,
'X-Roles': 'member', 'X-Roles': 'admin',
} }
base_headers.update(custom_headers or {}) base_headers.update(custom_headers or {})
return base_headers return base_headers
def test_task_not_allowed_non_admin(self):
self.start_servers(**self.__dict__.copy())
roles = {'X-Roles': 'member'}
# Task list should be empty
path = self._url('/v2/tasks')
response = requests.get(path, headers=self._headers(roles))
self.assertEqual(403, response.status_code)
def test_task_lifecycle(self): def test_task_lifecycle(self):
self.start_servers(**self.__dict__.copy()) self.start_servers(**self.__dict__.copy())
# Task list should be empty # Task list should be empty

View File

@ -0,0 +1,13 @@
---
deprecations:
- The task API was added to allow users for uploading images asynchronously
and for deployers to have more control in the upload process. Unfortunately,
this API has not worked the way it was expected to. Therefore, the task API
has entered a deprecation period and it is meant to be replaced by the new
import API. This change makes the task API admin only by default so that it
is not accidentally deployed as a public API.
upgrade:
- The task API is being deprecated and it has been made admin only. If deployers
of Glance would like to have this API as a public one, it is necessary to
change the `policy.json` file and remove `role:admin` from every `task`
related field.