[release-announce] [glance] glance 15.0.0 (pike)
no-reply at openstack.org
no-reply at openstack.org
Wed Aug 30 11:14:57 UTC 2017
We are happy to announce the release of:
glance 15.0.0: OpenStack Image Service
This release is part of the pike release series.
Download the package from:
https://tarballs.openstack.org/glance/
For more details, please see below.
15.0.0
^^^^^^
New Features
************
* A new policy, "tasks_api_access" has been introduced so that
ordinary user credentials may be used by Glance to manage the tasks
that accomplish the interoperable image import process without
requiring that operators expose the Tasks API to end users.
Upgrade Notes
*************
* If you wish to enable the EXPERIMENTAL version 2.6 API that
contains the new interoperable image import functionality, set the
configuration option "enable_image_import" to True in the glance-
api.conf file. The default value for this option is False.
The interoperable image import functionality uses the Glance tasks
engine. This is transparent to end users, as they do *not* use the
Tasks API for the interoperable image import workflow. The
operator, however, must make sure that the following configuration
options are set correctly.
* "enable_image_import"
* "node_staging_uri"
* the options in the "[task]" group
* the options in the "[taskflow_executor]" group
See the documentation in the sample glance-api.conf file for more
information.
Additionally, you will need to verify that the task-related policies
in the Glance policy.json file are set correctly. These settings
are described below.
* A new policy, "tasks_api_access" has been introduced so that
ordinary user credentials may be used by Glance to manage the tasks
that accomplish the interoperable image import process without
requiring that operators expose the Tasks API to end users.
The Tasks API was made admin-only by default in Mitaka by
restricting the following policy targets to **role:admin**:
**get_task**, **get_tasks**, **add_task**, and **modify_task**.
The new "tasks_api_access" policy target directly controls access to
the Tasks API, whereas targets just mentioned indirectly affect what
can be manipulated via the API by controlling what operations can be
performed on Glance's internal task objects. The key point is that
if you want to expose the new interoperable image import process to
end users while keeping the Tasks API admin-only, you can accomplish
this by using the following settings:
To summarize: end users do **not** need access to the Tasks API in
order to use the new interoperable image import process. They do,
however, need permission to access internal Glance task objects.
We recommend that all operators adopt the policy settings just
described independently of the decision whether to expose the
EXPERIMENTAL version 2.6 API.
(https://developer.openstack.org/api-ref/image/v2/index.html#tasks)
Security Issues
***************
* A new policy, "tasks_api_access" has been introduced so that
ordinary user credentials may be used by Glance to manage the tasks
that accomplish the interoperable image import process without
requiring that operators expose the Tasks API to end users.
This is a good time to review your Glance "policy.json" file to make
sure that if it contains a "default" target, the rule is fairly
restrictive ("role:admin" or "!" are good choices). The "default"
target is used when the policy engine cannot find the target it's
looking for. This can happen when a new policy is introduced but
the policy file in use is from a prior release.
Other Notes
***********
* The Image Service API Reference has been updated with a section on
the Interoperable image import process (also known as "image import
refactored") and the API calls that are exposed to implement it in
the EXPERIMENTAL v2.6 of the API.
(https://developer.openstack.org/api-ref/image/v2/index.html
#interoperable-image-import)
Changes in glance 15.0.0.0rc1..15.0.0
-------------------------------------
9820166 Fix api_image_import tasks stuck in 'pending'
4920799 Add doc note on using chunked encoding with uwsgi
8b13f43 Regenerate sample config files
92e2048 Correct group name in config
4e1d51e Add release note for Glance Pike RC-2
1a0ac2b api-ref: add interoperable image import docs
fc65a9e Fix Image API 'versions' response
c8873cc Return 404 for import-info call
c99a9c9 Fix 500 error from image-import call
84c7ad4 api-ref: update container_format, disk_format
f6d384f Add 'tasks_api_access' policy
7a14edd Add 'api_image_import' type to task(s) schemas
beb3e98 Fix 500 error from image-stage call
3a28118 Update invalid path and link for Image Properties
e612a90 Update UPPER_CONSTRAINTS_FILE for stable/pike
8bba8b5 Update .gitreview for stable/pike
Diffstat (except docs and test files)
-------------------------------------
.gitreview | 1 +
api-ref/source/v2/images-images-v2.inc | 2 +
api-ref/source/v2/images-import.inc | 244 +++++++++++
.../source/v2/images-parameters-descriptions.inc | 24 +-
api-ref/source/v2/images-parameters.yaml | 34 +-
api-ref/source/v2/index.rst | 1 +
.../source/v2/samples/image-import-request.json | 5 +
.../v2/samples/image-info-import-response.json | 9 +
.../v2/samples/schemas-image-show-response.json | 4 +-
.../v2/samples/schemas-images-list-response.json | 4 +-
api-ref/source/versions/versions.inc | 2 +
etc/glance-api.conf | 4 +-
etc/glance-cache.conf | 4 +-
etc/glance-registry.conf | 4 +-
etc/glance-scrubber.conf | 4 +-
etc/policy.json | 9 +-
etc/schema-image.json | 4 +-
glance/api/middleware/version_negotiation.py | 3 +-
glance/api/v2/discovery.py | 14 +-
glance/api/v2/image_data.py | 20 +-
glance/api/v2/images.py | 34 +-
glance/api/v2/tasks.py | 21 +-
glance/api/versions.py | 4 +-
glance/async/flows/api_image_import.py | 33 +-
glance/async/taskflow_executor.py | 2 +
glance/common/config.py | 4 +-
glance/common/scripts/utils.py | 7 +-
glance/db/sqlalchemy/api.py | 2 +-
glance/domain/__init__.py | 3 +-
httpd/glance-api-uwsgi.ini | 5 +
httpd/uwsgi-glance-api.conf | 1 +
releasenotes/notes/pike-rc-2-acc173005045e16a.yaml | 89 ++++
setup.cfg | 1 +
tox.ini | 2 +-
41 files changed, 1087 insertions(+), 403 deletions(-)
More information about the Release-announce
mailing list