We are happy to announce the release of: glance 15.0.0: OpenStack Image Service This release is part of the pike release series. Download the package from: https://tarballs.openstack.org/glance/ For more details, please see below. 15.0.0 ^^^^^^ New Features ************ * A new policy, "tasks_api_access" has been introduced so that ordinary user credentials may be used by Glance to manage the tasks that accomplish the interoperable image import process without requiring that operators expose the Tasks API to end users. Upgrade Notes ************* * If you wish to enable the EXPERIMENTAL version 2.6 API that contains the new interoperable image import functionality, set the configuration option "enable_image_import" to True in the glance- api.conf file. The default value for this option is False. The interoperable image import functionality uses the Glance tasks engine. This is transparent to end users, as they do *not* use the Tasks API for the interoperable image import workflow. The operator, however, must make sure that the following configuration options are set correctly. * "enable_image_import" * "node_staging_uri" * the options in the "[task]" group * the options in the "[taskflow_executor]" group See the documentation in the sample glance-api.conf file for more information. Additionally, you will need to verify that the task-related policies in the Glance policy.json file are set correctly. These settings are described below. * A new policy, "tasks_api_access" has been introduced so that ordinary user credentials may be used by Glance to manage the tasks that accomplish the interoperable image import process without requiring that operators expose the Tasks API to end users. The Tasks API was made admin-only by default in Mitaka by restricting the following policy targets to **role:admin**: **get_task**, **get_tasks**, **add_task**, and **modify_task**. The new "tasks_api_access" policy target directly controls access to the Tasks API, whereas targets just mentioned indirectly affect what can be manipulated via the API by controlling what operations can be performed on Glance's internal task objects. The key point is that if you want to expose the new interoperable image import process to end users while keeping the Tasks API admin-only, you can accomplish this by using the following settings: To summarize: end users do **not** need access to the Tasks API in order to use the new interoperable image import process. They do, however, need permission to access internal Glance task objects. We recommend that all operators adopt the policy settings just described independently of the decision whether to expose the EXPERIMENTAL version 2.6 API. (https://developer.openstack.org/api-ref/image/v2/index.html#tasks) Security Issues *************** * A new policy, "tasks_api_access" has been introduced so that ordinary user credentials may be used by Glance to manage the tasks that accomplish the interoperable image import process without requiring that operators expose the Tasks API to end users. This is a good time to review your Glance "policy.json" file to make sure that if it contains a "default" target, the rule is fairly restrictive ("role:admin" or "!" are good choices). The "default" target is used when the policy engine cannot find the target it's looking for. This can happen when a new policy is introduced but the policy file in use is from a prior release. Other Notes *********** * The Image Service API Reference has been updated with a section on the Interoperable image import process (also known as "image import refactored") and the API calls that are exposed to implement it in the EXPERIMENTAL v2.6 of the API. (https://developer.openstack.org/api-ref/image/v2/index.html #interoperable-image-import) Changes in glance 15.0.0.0rc1..15.0.0 ------------------------------------- 9820166 Fix api_image_import tasks stuck in 'pending' 4920799 Add doc note on using chunked encoding with uwsgi 8b13f43 Regenerate sample config files 92e2048 Correct group name in config 4e1d51e Add release note for Glance Pike RC-2 1a0ac2b api-ref: add interoperable image import docs fc65a9e Fix Image API 'versions' response c8873cc Return 404 for import-info call c99a9c9 Fix 500 error from image-import call 84c7ad4 api-ref: update container_format, disk_format f6d384f Add 'tasks_api_access' policy 7a14edd Add 'api_image_import' type to task(s) schemas beb3e98 Fix 500 error from image-stage call 3a28118 Update invalid path and link for Image Properties e612a90 Update UPPER_CONSTRAINTS_FILE for stable/pike 8bba8b5 Update .gitreview for stable/pike Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + api-ref/source/v2/images-images-v2.inc | 2 + api-ref/source/v2/images-import.inc | 244 +++++++++++ .../source/v2/images-parameters-descriptions.inc | 24 +- api-ref/source/v2/images-parameters.yaml | 34 +- api-ref/source/v2/index.rst | 1 + .../source/v2/samples/image-import-request.json | 5 + .../v2/samples/image-info-import-response.json | 9 + .../v2/samples/schemas-image-show-response.json | 4 +- .../v2/samples/schemas-images-list-response.json | 4 +- api-ref/source/versions/versions.inc | 2 + etc/glance-api.conf | 4 +- etc/glance-cache.conf | 4 +- etc/glance-registry.conf | 4 +- etc/glance-scrubber.conf | 4 +- etc/policy.json | 9 +- etc/schema-image.json | 4 +- glance/api/middleware/version_negotiation.py | 3 +- glance/api/v2/discovery.py | 14 +- glance/api/v2/image_data.py | 20 +- glance/api/v2/images.py | 34 +- glance/api/v2/tasks.py | 21 +- glance/api/versions.py | 4 +- glance/async/flows/api_image_import.py | 33 +- glance/async/taskflow_executor.py | 2 + glance/common/config.py | 4 +- glance/common/scripts/utils.py | 7 +- glance/db/sqlalchemy/api.py | 2 +- glance/domain/__init__.py | 3 +- httpd/glance-api-uwsgi.ini | 5 + httpd/uwsgi-glance-api.conf | 1 + releasenotes/notes/pike-rc-2-acc173005045e16a.yaml | 89 ++++ setup.cfg | 1 + tox.ini | 2 +- 41 files changed, 1087 insertions(+), 403 deletions(-)