glance/doc/source/user/metadefs-concepts.rst
Abhishek Kekane f8551de8c9 Make some metadef operations admin-only
This restricts all metadef resource manipulation to admin-only, but
still allow users to see everything. There are multiple low-grade
security issues with the metadef API, detailed in the related bug.
Restricting resource manipulation to admin-only solves most of these
concerns.

SecurityImpact
Depends-On: https://review.opendev.org/c/openstack/tempest/+/780108
Change-Id: I333c58e73c202c1f523030e54e03f2868459b595
Related-Bug: #1916926
2021-03-15 07:59:05 -07:00

197 lines
8.7 KiB
ReStructuredText

..
Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Metadata Definition Concepts
============================
The metadata definition service was added to Glance in the Juno release of
OpenStack.
It provides a common API for vendors, admins, services, and users to
meaningfully **define** available key / value pair metadata that
can be used on different types of resources (images, artifacts, volumes,
flavors, aggregates, and other resources). A definition includes a property's
key, its description, its constraints, and the resource types to which it
can be associated.
This catalog does not store the values for specific instance properties.
For example, a definition of a virtual CPU topology property for the number of
cores will include the base key to use (for example, cpu_cores), a description,
and value constraints like requiring it to be an integer. So, a user,
potentially through Horizon, would be able to search this catalog to list the
available properties they can add to a flavor or image. They will see the
virtual CPU topology property in the list and know that it must be an integer.
When the user adds the property its key and value will be stored in the
service that owns that resource (for example, Nova for flavors and in Glance
for images). The catalog also includes any additional prefix required when
the property is applied to different types of resources, such as "hw\_" for
images and "hw:" for flavors. So, on an image, the user would know to set the
property as "hw_cpu_cores=1".
.. note:: Resource manipulation via this API is restricted to admins
by default since the Wallaby release. This API does not
provide limits suitable for exposure to all users, and can
also leak information between users unintentionally. Even as
an admin, be careful with the names you use for resources
you create that are intended to be private, in order to
avoid unintentional exposure. See Bug 1916926_ for more
information.
.. _1916926: https://bugs.launchpad.net/glance/+bug/1916926/
Terminology
-----------
Background
~~~~~~~~~~
The term *metadata* can become very overloaded and confusing. This
catalog is about the additional metadata that is passed as arbitrary
key / value pairs or tags across various artifacts and OpenStack services.
Below are a few examples of the various terms used for metadata across
OpenStack services today:
+-------------------------+---------------------------+----------------------+
| Nova | Cinder | Glance |
+=========================+===========================+======================+
| Flavor | Volume & Snapshot | Image & Snapshot |
| + *extra specs* | + *image metadata* | + *properties* |
| Host Aggregate | + *metadata* | + *tags* |
| + *metadata* | VolumeType | |
| Servers | + *extra specs* | |
| + *metadata* | + *qos specs* | |
| + *scheduler_hints* | | |
| + *tags* | | |
+-------------------------+---------------------------+----------------------+
Catalog Concepts
~~~~~~~~~~~~~~~~
The below figure illustrates the concept terminology used in the metadata
definitions catalog::
A namespace is associated with 0 to many resource types, making it visible to
the API / UI for applying to that type of resource. RBAC Permissions are
managed at a namespace level.
+----------------------------------------------+
| Namespace |
| |
| +-----------------------------------------+ |
| | Object Definition | |
| | | | +--------------------+
| | +-------------------------------------+ | | +--> | Resource Type: |
| | | Property Definition A (key=integer) | | | | | e.g. Nova Flavor |
| | +-------------------------------------+ | | | +--------------------+
| | | | |
| | +-------------------------------------+ | | |
| | | Property Definition B (key=string) | | | | +--------------------+
| | +-------------------------------------+ | +--+--> | Resource Type: |
| | | | | | e.g. Glance Image |
| +-----------------------------------------+ | | +--------------------+
| | |
| +-------------------------------------+ | |
| | Property Definition C (key=boolean) | | | +--------------------+
| +-------------------------------------+ | +--> | Resource Type: |
| | | e.g. Cinder Volume |
+----------------------------------------------+ +--------------------+
Properties may be defined standalone or within the context of an object.
Catalog Terminology
~~~~~~~~~~~~~~~~~~~
The following terminology is used within the metadata definition catalog.
**Namespaces**
Metadata definitions are contained in namespaces.
- Specify the access controls (CRUD) for everything defined in it. Allows for
admin only, different projects, or the entire cloud to define and use the
definitions in the namespace
- Associates the contained definitions to different types of resources
**Properties**
A property describes a single property and its primitive constraints. Each
property can ONLY be a primitive type:
* string, integer, number, boolean, array
Each primitive type is described using simple JSON schema notation. This
means NO nested objects and no definition referencing.
**Objects**
An object describes a group of one to many properties and their primitive
constraints. Each property in the group can ONLY be a primitive type:
* string, integer, number, boolean, array
Each primitive type is described using simple JSON schema notation. This
means NO nested objects.
The object may optionally define required properties under the semantic
understanding that a user who uses the object should provide all required
properties.
**Resource Type Association**
Resource type association specifies the relationship between resource
types and the namespaces that are applicable to them. This information can be
used to drive UI and CLI views. For example, the same namespace of
objects, properties, and tags may be used for images, snapshots, volumes, and
flavors. Or a namespace may only apply to images.
Resource types should be aligned with Heat resource types whenever possible.
https://docs.openstack.org/heat/latest/template_guide/openstack.html
It is important to note that the same base property key can require different
prefixes depending on the target resource type. The API provides a way to
retrieve the correct property based on the target resource type.
Below are a few examples:
The desired virtual CPU topology can be set on both images and flavors
via metadata. The keys have different prefixes on images than on flavors.
On flavors keys are prefixed with ``hw:``, but on images the keys are prefixed
with ``hw_``.
For more: https://github.com/openstack/nova-specs/blob/master/specs/juno/implemented/virt-driver-vcpu-topology.rst
Another example is the AggregateInstanceExtraSpecsFilter and scoped properties
(e.g. properties with something:something=value). For scoped / namespaced
properties, the AggregateInstanceExtraSpecsFilter requires a prefix of
"aggregate_instance_extra_specs:" to be used on flavors but not on the
aggregate itself. Otherwise, the filter will not evaluate the property during
scheduling.
So, on a host aggregate, you may see:
companyx:fastio=true
But then when used on the flavor, the AggregateInstanceExtraSpecsFilter needs:
aggregate_instance_extra_specs:companyx:fastio=true
In some cases, there may be multiple different filters that may use
the same property with different prefixes. In this case, the correct prefix
needs to be set based on which filter is enabled.