openstack/openstack-manuals
Code Issues Proposed changes
ed3e1664e6
openstack-manuals/doc/admin-guide-cloud/image/section_glance-property-protection.xml
Tamara Johnston 844efef3cd Correcting Links in the Current Administrator Guide 
The administrator guide includes many links to the install guides, configuration
guide, and so forth.  As the administrator guide is the current version all links
should link to current (Juno) vs. Icehouse or trunk (Kilo) versions of the docs.

Closes-Bug: #1410565

Change-Id: I8fa3bc6d0af2ee90f436fe065b8897eefefa2be9
2015-01-14 19:02:26 -08:00

107 lines
4.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="glance-property-protection">
<title>Image properties and property protection</title>
<para>An image property is a key and value pair that the cloud
administrator or the image owner attaches to an OpenStack Image
Service image, as follows:</para>
<para>
<itemizedlist>
<listitem>
<para>The cloud administrator defines <emphasis role="italic"
>core</emphasis> properties, such as the image
name.</para>
</listitem>
<listitem>
<para>The cloud administrator and the image owner can define
<emphasis role="italic">additional</emphasis> properties,
such as licensing and billing information.</para>
</listitem>
</itemizedlist>
</para>
<para>The cloud administrator can configure any property as
<firstterm>protected</firstterm>, which limits which policies or
user roles can perform CRUD operations on that property. Protected
properties are generally additional properties to which only cloud
administrators have access.</para>
<para>For unprotected image properties, the cloud administrator can
manage core properties and the image owner can manage additional
properties.</para>
<procedure>
<title>To configure property protection</title>
<para>To configure property protection, the cloud administrator
completes these steps:</para>
<step>
<para>Define roles or policies in the
<filename>policy.json</filename> file:</para>
<programlisting language="json"><xi:include parse="text"
href="http://git.openstack.org/cgit/openstack/glance/plain/etc/policy.json?h=stable/juno"/></programlisting>
<para>For each parameter, use <literal>"rule:restricted"</literal> to
restrict access to all users or <literal>"role:admin"</literal>
to limit access to administrator roles. For example:</para>
<programlisting>"download_image": <replaceable>"rule:restricted"</replaceable>
"upload_image": <replaceable>"role:admin"</replaceable></programlisting>
</step>
<step>
<para>Define which roles or policies can manage which properties
in a property protections configuration file. For
example:</para>
<programlisting language="ini">[x_none_read]
create = context_is_admin
read = !
update = !
delete = !
[x_none_update]
create = context_is_admin
read = context_is_admin
update = !
delete = context_is_admin
[x_none_delete]
create = context_is_admin
read = context_is_admin
update = context_is_admin
delete = !</programlisting>
<itemizedlist>
<listitem>
<para>A value of <literal>@</literal> allows the
corresponding operation for a property.</para>
</listitem>
<listitem>
<para>A value of <literal>!</literal> disallows the
corresponding operation for a property.</para>
</listitem>
</itemizedlist>
</step>
<step>
<para>In the <filename>glance-api.conf</filename> file, define
the location of a property protections configuration
file:</para>
<programlisting language="ini">property_protection_file = {file_name}</programlisting>
<para>This file contains the rules for property protections and
the roles and policies associated with it.</para>
<para>By default, property protections are not enforced.</para>
<para>If you specify a file name value and the file is not
found, the <systemitem role="service">glance-api</systemitem>
service does not start.</para>
<para>To view a sample configuration file, see <link
xlink:href="http://docs.openstack.org/juno/config-reference/content/section_glance-api.conf.html"
>glance-api.conf</link>.</para>
</step>
<step>
<para>Optionally, in the <filename>glance-api.conf</filename>
file, specify whether roles or policies are used in the
property protections configuration file:</para>
<programlisting language="ini">property_protection_rule_format = roles</programlisting>
<para>The default is <literal>roles</literal>.</para>
<para>To view a sample configuration file, see <link
xlink:href="http://docs.openstack.org/juno/config-reference/content/section_glance-api.conf.html"
>glance-api.conf</link>.</para>
</step>
</procedure>
</section>
View Git Blame Copy Permalink