[Openstack] Listing non-public images in Glance

stuart.mclaren at hp.com stuart.mclaren at hp.com
Fri Jan 20 14:43:15 UTC 2012


>>  b) If authentication is not in effect, should we chage to listing
>>    everything, public and not? I can file a bug and see it implemented.

In case its useful, I think that currently (without authentication)
a command such as:

curl http://localhost:9292/v1/images?is_public=None

will list both public and private images.

-Stuart


On Thu, 19 Jan 2012, Jay Pipes wrote:

> Hi Pete! Answers inline :)
>
> On Thu, Jan 19, 2012 at 2:26 PM, Pete Zaitcev <zaitcev at redhat.com> wrote:
>> Hello:
>>
>> This clearly seems like I am missing something obvious, but is it
>> possible to list non-public images in Glance?
>
> No. But if you no the ID, you can issue a call to HEAD|GET
> /images/<ID> and it will show you the image information. This was done
> this way for legacy reasons IIRC. Nowadays, with authentication
> enabled, you have much better, finer-grained, and logical access
> permissions to images (see below)
>
>> It came up because I have a Glance setup without Keystone or other
>> authentication for now, like this:
>>
>>  [pipeline:glance-api]
>>  pipeline = versionnegotiation context apiv1app
>>
>> Images that have "X-Image-Meta-Is_public: False" do not get listed
>> with "glance index". I am not saying that it is wrong per se, all the
>> documentation implies that a GET to /v1/images only produces a listing
>> of public images, and it looks like all functional and unit tests
>> in ./glance/tests set the public flag as necessary.
>
> Correct.
>
>> But I'm wondering:
>>
>>  a) If authentication is in effect, can users list their own images?
>
> Yes. If authentication is enabled and a user calls GET /images, they
> see a list of non-deleted, non-killed-status *public* images
> (is_public=True) AND any images where the owner_id is the user's
> Tenant or User ID AND any images that have manually been shared with
> the Tenant or User ID via the image-memberships functionality.
>
> Note that I say "Tenant or User" above. There is a configuration value
> (owner_is_tenant, default is True) that controls whether the
> authentication layer considers the X-Auth-Tenant or the X-Auth-User
> value as being the owner...
>
>>    It is easy to forget what you have. The Image Warehouse service
>>    in Aeolus permits to list images regardless, as long as bucket
>>    is accessible.
>>
>>  b) If authentication is not in effect, should we chage to listing
>>    everything, public and not? I can file a bug and see it implemented.
>
> Interesting proposal, and one we debated over when Kevin Mitchell
> originally added support for authentication (and thus image
> ownership). We decided to keep it the way it is because we did not
> want to change existing behaviour of servers that did not have
> authentication enabled...
>
> Cheers!
> -jay
>
>> -- Pete
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


More information about the Openstack mailing list