[nova][glance] Granting image member access for snapshots (bug 1675791)
openstack at fried.cc
Tue Jan 15 13:40:01 UTC 2019
On 1/14/2019 6:04 PM, Matt Riedemann wrote:
> I have a fix proposed
The proposed fix is here: https://review.openstack.org/#/c/630769/
> for a pretty old bug (1675791 ). This
> originally came up because of a scenario where an admin shelves a server
> and then the owner of the shelved server cannot unshelve it since they
> do not have access to the shelve snapshot image.
> The same is true for normal snapshot and backup operations though, see
> this proposed spec for Stein .
> It also came up during the cross-cell resize spec review  since that
> solution depends on snapshot to get the root disk from one cell to another.
> In a nutshell, when creating a snapshot now, the compute API will check
> if the project creating the snapshot is the same as the project owner of
> the server. If not, the image is created with visibility=shared and the
> project owner of the instance is granted member access to the image,
> which allows them to GET the image directly via the ID, but not list it
> by default (the tenant user has to accept the pending membership for
> that). I have tested this out in devstack today and everything seems to
> work well.
> I am posting this to (a) raise awareness of the bug and proposed fix
> since it is sort of a behavior change in the
> createImage/createBackup/shelve APIs and (b) to make sure the glance
> team is aware and acknowledges this is an OK thing to do, i.e. are there
> any kind of unforeseen side effects of automatically granting image
> membership like this (I would think not since the owner of the instance
> has access to the root disk of the server anyway - it is their data).
> Also note that some really crusty legacy code in most of the in-tree
> virt drivers had to be removed (some virt drivers would change the image
> visibility back to private during the actual data upload to glance)
> which could mean out of tree drivers have the same issue.
>  https://bugs.launchpad.net/nova/+bug/1675791
>  https://review.openstack.org/#/c/616843/
More information about the openstack-discuss