Make the task's API admin only by default
One of the goals of this spec is to improve the image import process and allow for other background operations to be executed when the image data is added. This supersedes the need of the task endpoint that we'll slowly deprecate. As part of this spec, we should make it admin only and warn deployers that this API is going to be deprecated. MitakaPriority DocImpact: Tasks API is now admin only. Deployments depending on this API need to make sure they make it accessible for non-admins. Closes-bug: #1527716 Partially-blueprint: image-import-refactor Change-Id: I28cb69ea730ae58b9aed1dd43b68305dbbf132c1
This commit is contained in:
parent
bdee4bbbed
commit
8f0d6ea9c5
@ -25,10 +25,10 @@
|
|||||||
|
|
||||||
"manage_image_cache": "role:admin",
|
"manage_image_cache": "role:admin",
|
||||||
|
|
||||||
"get_task": "",
|
"get_task": "role:admin",
|
||||||
"get_tasks": "",
|
"get_tasks": "role:admin",
|
||||||
"add_task": "",
|
"add_task": "role:admin",
|
||||||
"modify_task": "",
|
"modify_task": "role:admin",
|
||||||
|
|
||||||
"deactivate": "",
|
"deactivate": "",
|
||||||
"reactivate": "",
|
"reactivate": "",
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
|
|
||||||
import copy
|
import copy
|
||||||
|
|
||||||
|
import debtcollector
|
||||||
import glance_store
|
import glance_store
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
@ -42,6 +43,14 @@ LOG = logging.getLogger(__name__)
|
|||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
CONF.import_opt('task_time_to_live', 'glance.common.config', group='task')
|
CONF.import_opt('task_time_to_live', 'glance.common.config', group='task')
|
||||||
|
|
||||||
|
_DEPRECATION_MESSAGE = ("The task API is being deprecated and "
|
||||||
|
"it will be superseded by the new image import "
|
||||||
|
"API. Please refer to this link for more "
|
||||||
|
"information about the aforementioned process: "
|
||||||
|
"https://specs.openstack.org/openstack/glance-specs/"
|
||||||
|
"specs/mitaka/approved/image-import/"
|
||||||
|
"image-import-refactor.html")
|
||||||
|
|
||||||
|
|
||||||
class TasksController(object):
|
class TasksController(object):
|
||||||
"""Manages operations on tasks."""
|
"""Manages operations on tasks."""
|
||||||
@ -55,6 +64,7 @@ class TasksController(object):
|
|||||||
self.gateway = glance.gateway.Gateway(self.db_api, self.store_api,
|
self.gateway = glance.gateway.Gateway(self.db_api, self.store_api,
|
||||||
self.notifier, self.policy)
|
self.notifier, self.policy)
|
||||||
|
|
||||||
|
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
|
||||||
def create(self, req, task):
|
def create(self, req, task):
|
||||||
task_factory = self.gateway.get_task_factory(req.context)
|
task_factory = self.gateway.get_task_factory(req.context)
|
||||||
executor_factory = self.gateway.get_task_executor_factory(req.context)
|
executor_factory = self.gateway.get_task_executor_factory(req.context)
|
||||||
@ -74,6 +84,7 @@ class TasksController(object):
|
|||||||
raise webob.exc.HTTPForbidden(explanation=e.msg)
|
raise webob.exc.HTTPForbidden(explanation=e.msg)
|
||||||
return new_task
|
return new_task
|
||||||
|
|
||||||
|
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
|
||||||
def index(self, req, marker=None, limit=None, sort_key='created_at',
|
def index(self, req, marker=None, limit=None, sort_key='created_at',
|
||||||
sort_dir='desc', filters=None):
|
sort_dir='desc', filters=None):
|
||||||
result = {}
|
result = {}
|
||||||
@ -101,6 +112,7 @@ class TasksController(object):
|
|||||||
result['tasks'] = tasks
|
result['tasks'] = tasks
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
|
||||||
def get(self, req, task_id):
|
def get(self, req, task_id):
|
||||||
try:
|
try:
|
||||||
task_repo = self.gateway.get_task_repo(req.context)
|
task_repo = self.gateway.get_task_repo(req.context)
|
||||||
@ -120,6 +132,7 @@ class TasksController(object):
|
|||||||
raise webob.exc.HTTPForbidden(explanation=e.msg)
|
raise webob.exc.HTTPForbidden(explanation=e.msg)
|
||||||
return task
|
return task
|
||||||
|
|
||||||
|
@debtcollector.removals.remove(message=_DEPRECATION_MESSAGE)
|
||||||
def delete(self, req, task_id):
|
def delete(self, req, task_id):
|
||||||
msg = (_("This operation is currently not permitted on Glance Tasks. "
|
msg = (_("This operation is currently not permitted on Glance Tasks. "
|
||||||
"They are auto deleted after reaching the time based on "
|
"They are auto deleted after reaching the time based on "
|
||||||
|
@ -26,10 +26,10 @@
|
|||||||
|
|
||||||
"manage_image_cache": "",
|
"manage_image_cache": "",
|
||||||
|
|
||||||
"get_task": "",
|
"get_task": "role:admin",
|
||||||
"get_tasks": "",
|
"get_tasks": "role:admin",
|
||||||
"add_task": "",
|
"add_task": "role:admin",
|
||||||
"modify_task": "",
|
"modify_task": "role:admin",
|
||||||
|
|
||||||
"get_metadef_namespace": "",
|
"get_metadef_namespace": "",
|
||||||
"get_metadef_namespaces":"",
|
"get_metadef_namespaces":"",
|
||||||
|
@ -44,11 +44,19 @@ class TestTasks(functional.FunctionalTest):
|
|||||||
'X-Auth-Token': '932c5c84-02ac-4fe5-a9ba-620af0e2bb96',
|
'X-Auth-Token': '932c5c84-02ac-4fe5-a9ba-620af0e2bb96',
|
||||||
'X-User-Id': 'f9a41d13-0c13-47e9-bee2-ce4e8bfe958e',
|
'X-User-Id': 'f9a41d13-0c13-47e9-bee2-ce4e8bfe958e',
|
||||||
'X-Tenant-Id': TENANT1,
|
'X-Tenant-Id': TENANT1,
|
||||||
'X-Roles': 'member',
|
'X-Roles': 'admin',
|
||||||
}
|
}
|
||||||
base_headers.update(custom_headers or {})
|
base_headers.update(custom_headers or {})
|
||||||
return base_headers
|
return base_headers
|
||||||
|
|
||||||
|
def test_task_not_allowed_non_admin(self):
|
||||||
|
self.start_servers(**self.__dict__.copy())
|
||||||
|
roles = {'X-Roles': 'member'}
|
||||||
|
# Task list should be empty
|
||||||
|
path = self._url('/v2/tasks')
|
||||||
|
response = requests.get(path, headers=self._headers(roles))
|
||||||
|
self.assertEqual(403, response.status_code)
|
||||||
|
|
||||||
def test_task_lifecycle(self):
|
def test_task_lifecycle(self):
|
||||||
self.start_servers(**self.__dict__.copy())
|
self.start_servers(**self.__dict__.copy())
|
||||||
# Task list should be empty
|
# Task list should be empty
|
||||||
|
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- The task API was added to allow users for uploading images asynchronously
|
||||||
|
and for deployers to have more control in the upload process. Unfortunately,
|
||||||
|
this API has not worked the way it was expected to. Therefore, the task API
|
||||||
|
has entered a deprecation period and it is meant to be replaced by the new
|
||||||
|
import API. This change makes the task API admin only by default so that it
|
||||||
|
is not accidentally deployed as a public API.
|
||||||
|
upgrade:
|
||||||
|
- The task API is being deprecated and it has been made admin only. If deployers
|
||||||
|
of Glance would like to have this API as a public one, it is necessary to
|
||||||
|
change the `policy.json` file and remove `role:admin` from every `task`
|
||||||
|
related field.
|
Loading…
Reference in New Issue
Block a user