[glance] How to limit access to particular store

bkslash bkslash at poczta.onet.pl
Thu Jun 10 07:23:41 UTC 2021


Hi Erno,
thank you for your answer. In the mean time I've figured out 2 other "workarounds":
1. I'll make a local file store (based on LVM) with LVM volume of the size  that I need for all my "public" (and protected) images, so there will be no more space to put any customer images. If I'll need additional space I'll extend the volume/filesystem to fit my new images. Customer images will go to other, default store.
2. Ofcourse modifying filesystem permissions to RO on store folder would also do the trick, but it should be changed back to RW each time I have to modify my images.  

I think it would be useful to have the ability to block (via oslo.policy) reading some informations (i.e. list stores etc.) and make stores read-only... 

Best regards
Adam Tomaś

> On 9 Jun 2021, at 18:28, Erno Kuvaja <ekuvaja at redhat.com> wrote:
> 
> 
>> On Fri, Jun 4, 2021 at 1:56 PM at <bkslash at poczta.onet.pl> wrote:
>> Hi,
>> I have Glance with multi-store config and I want one store (not default) to be read-only for everyone except cloud Admin. How can I do it? Is there any way to limit store names visibility (which are visible i.e. in properties section of "openstack image show IMAGE_NAME" output)?
>> Best regards
>> Adam Tomas
>> 
> Hi Adam,
> 
> Such limitations are not possible at the moment. The only way to really do this if needed is to expose that "admin only" storage as a local web server and use the http store with locations api exposed to said users only.
> 
> - jokke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210610/936ce431/attachment.html>


More information about the openstack-discuss mailing list