| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This does two things:
1. It makes us check that the QCOW backing_file is unset on those
types of images. Nova and Cinder do this already to prevent an
arbitrary (and trivial to accomplish) host file exposure exploit.
2. It makes us restrict VMDK files to only allowed subtypes. These
files can name arbitrary files on disk as extents, providing the
same sort of attack. Default that list to just the types we believe
are actually useful for openstack, and which are monolithic.
The configuration option to specify allowed subtypes is added in
glance's config and not in the import options so that we can extend
this check later to image ingest. The format_inspector can tell us
what the type and subtype is, and we could reject those images early
and even in the case where image_conversion is not enabled.
Closes-Bug: #1996188
Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0
(cherry picked from commit 0d6282a01691cecc2798f7858b181c4bb30f850c)
(cherry picked from commit 4967ab6935cfd0274ae801ac943d01909a236a0a)
(cherry picked from commit dc8e5a5cc7f5e9d1b697e520a7533cc90516db1b)
(cherry picked from commit f45b5f024e765f0000884dfec5ac222124cfbc6d)
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In cases when a package is installed in tox's develop-inst phase upper
constraints are not used if it were not defined in 'deps' of the tox
target. This caused for example 'tox -e docs' to fail in case a package
introduced some branch incompatible change.
There are two option to fix this:
* add the upper constraints to 'deps' of the target (and pre-install
requirements for some cases) OR
* use it in the install_command
In the past the latter needed some extra attention (due to e.g. lower
constraints tests) and projects were encouraged to remove the
install_command, but nowadays this seems better fitting for some
project and easier to use. So this patch fixes the upper constraints
usage via the custom install_command and by removing it from 'deps'.
Conflicts:
tox.ini
NOTE(elod.illes): conflict is due to branch specific upper constraints
link. Also, lower-constraints is not yet removed from this branch so to
avoid silently using wrong upper constraints instead of lower ones, the
install_command needs to be redefined in lower-constraints target.
Change-Id: Iae07e1c5abde09874928951ac55c2d0355bcd244
(cherry picked from commit 36aedba20e998953333225a9788c084d2e6be6ae)
(cherry picked from commit 49d25474a2cfa1c91649241471c4b7b1b799fd75)
(cherry picked from commit e1a66af4a894b83f27f90eef0826398445b4df97)
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
This job is only useful in the development branch; there's no
point in running it in the stable branches.
Change-Id: If36e64b61767dc5c1df0daec2dd176fecd409926
(cherry picked from commit 06a9228809d574c4e5b1b722e8238b3c45e58885)
(cherry picked from commit 5fbf47378e70537c73394408e69e94449aba1bec)
(cherry picked from commit 3cfbb69c017ed0e2c61f267829a3b79b073832f0)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
In set_property_atomic() we pass an integer query filter for the
deleted field, since most projects use an integer for this column.
However, in glance the column is a boolean, which trips up postgres
since the types are different (mysql and sqlite work fine). This
minor change to use False instead of 0 should fix that for postgres
users.
Change-Id: I5149df76943c1c19f3204b904c0e2d3ef846bdf7
Closes-Bug: #1953063
(cherry picked from commit 753c74c343ab4ef32879a3dd95c3a956af77f869)
(cherry picked from commit 316ce9659acdec0bc45f8a33825ae3b076199b24)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new networkx requirement apparently causes us to fail the
test_init_copy_flow_as_non_owner test because a None value can not be
added to the flow graph. This just mocks out the glance_store call
that is failing to get the staging store to avoid us choking there
so we can proceed. We are just testing get_flow so we never use it
anyway.
Closes-Bug: #1959361
Change-Id: I6fcb14ad240105ed0b1b9086c6c6c95034b4dd42
(cherry picked from commit ded8ecf3828fa9afd7382f8ba850505ae0541e2c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Taking the advice given here:
http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026905.html
to fix the openstacksdk-functional-devstack job.
This job is not specified in glance's .zuul.yaml, but is brought in
by the integrated-gate-storage template:
https://opendev.org/openstack/tempest/src/commit/86db21ea6afb6c26a21fc143a7d061e947c31a93/zuul.d/integrated-gate.yaml#L382-L398
So we add the job here so that we can override its definition.
Change-Id: I8f1f38df4746cced085fb1cb4e96540763cdda13
(cherry picked from commit b76dd7880cf40f8f2cc9425c54941c5d637401a2)
|
| |
|
|
| |
Change-Id: I597a9ec0c2c04e48ce06fc9521cf9fb76aa5250b
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A slight error in the tasks_get_by_image() DB API method resulted in
our excluding in-progress tasks from the returned list. This is
because those tasks have expires_at=NULL, and we were comparing
the expires_at>=$NOW to find unexpired tasks. This makes us check for
"NULL or not expired" instead.
We did have a test asserting the wrong behavior, but it was done to
increase coverage and thus was asserting the behavior of the code and
not the *desired* behavior. This fixes that as well.
Closes-Bug: #1922928
Change-Id: I1b6971888673b64ef60bed8fbcc97bbcbcf5c2ac
(cherry picked from commit 2a0d2303c3346b3e771a40c0fe4d4dceaf16f992)
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since supporting only PY3 (Ussuri) Glance has not been supporting
termination of encrypted connection to the service [0]. The
section was left behind on the configuring doc.
[0] https://docs.openstack.org/releasenotes/glance/ussuri.html#security-issues
Change-Id: I9356bceb914327f526da7b727fa58522ae18856e
Closes-Bug: #1930597
(cherry picked from commit 652780d0299d5734cbc6d21eea74c4fd11797cd1)
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 810417df865c7b4eb71cee4dfee843d65972852b.
The Swift driver not being able to use Trusts had nothing to do
about the store driver itself nor that keystoneauth1 would have
broken the feature, but rather it not having the functionality
in the first place and us not catching that on reviews.
We should figure out how to test this before we try to replace
this code again.
Change-Id: If12a013404296486dc387b099477d1608b24ba63
Closes-Bug: #1916052
(cherry picked from commit 9b683678b2a19bb1069aace58e054150a78b5f6f)
|
| |/
|
|
|
|
|
|
| |
Removed the defaulting to roles part of the deprecation message.
Change-Id: I37d67457efdd8572d41cd839fb00c84f1f197892
Closes-Bug: #1934673
(cherry picked from commit 2d2817375296c7eff5594a092a8463dd31dbf4e4)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update the URL to the upper-constraints file to point to the redirect
rule on releases.openstack.org so that anyone working on this branch
will switch to the correct upper-constraints list automatically when
the requirements repository branches.
Until the requirements repository has as stable/wallaby branch, tests will
continue to use the upper-constraints list on master.
Change-Id: I3343a1d50081bb00846b48782d47b066692c0e81
|
| |
|
|
| |
Change-Id: Ib35f365e6cc1548b48facc079b180ba06dca908e
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This allows us to run unit tests and functional tests using Python3.9.
We also remove all testenv:py3* environments, since tox is able to infer
what version of Python to use from the environment name.
Change-Id: If9ce1475ddfc66c9b37cd3500af982bf3814bf60
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This restricts all metadef resource manipulation to admin-only, but
still allow users to see everything. There are multiple low-grade
security issues with the metadef API, detailed in the related bug.
Restricting resource manipulation to admin-only solves most of these
concerns.
SecurityImpact
Depends-On: https://review.opendev.org/c/openstack/tempest/+/780108
Change-Id: I333c58e73c202c1f523030e54e03f2868459b595
Related-Bug: #1916926
|
| |/ /
| |
| |
| |
| |
| |
| | |
This just makes a trivial typo fix in the minor-code-changes doc.
Change-Id: If0093316c393b09ed4d936d2625b2d27024bfdbc
Co-Authored-By: Abhishek Kekane <akekane@redhat.com>
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Change-Id: Ifc957de2bcf4d22c1b7cba31ce2b467df9d5aa85
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | | |
Change-Id: I509f042648cc0e437b26cf9bf5008c43038ad047
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We've broken basic policies into granular checks with simple names and
we use them to construct more complex checks. In that process we
accidentally added some additional nesting to two of the check strings,
which isn't necessary.
This commit updates the check strings to remove an extra set of
parenthesis.
Change-Id: Iafa37d64a9779a3b646c34f328c62dfd6cd3e7f3
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This enables the g-api-r service in devstack, which allows tempest
to run the remote import test, causing it to stage and import an
image across two different workers. Note we disable it for the
standalone mode, since devstack does not support starting another
standalone glance.
Depends-On: https://review.opendev.org/c/openstack/devstack/+/770487
Depends-On: https://review.opendev.org/c/openstack/tempest/+/770520
Change-Id: Ica715fc1922f4b36dd0bb008ef6706b86115ec05
|
| |\ \ \ \ \ \ |
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | | |
Change-Id: Id3a08decd65b1222c0e9d7908ecd07587d2455c9
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Provide some literature on what we introduced for operators in wallaby,
how they can configure it, and actions we recommend they take. Since
this marks the point at which we consider the feature implemented,
this also removes the legacy-rbac job and makes the secure-rbac job
voting.
Implements: blueprint secure-rbac
Change-Id: I8f980cf7731d26b92b5392fdada21e5be0f541c4
|
| |\ \ \ \ \ \ \
| |/ / / / / / |
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
At one point, these policies were used to protect actual task API
endpoints. Since then, they have also been used internally within
glance when spawning a task on behalf of the user for long-running
operations (like import).
These policies should not apply to the internal usage, as doing so
prevents the operator from setting them to restrictive values in order
to provide granular access to some roles. In the future we will fix
that by moving those checks out of "the onion" and into the task API
operations themselves, thus decoupling the internal and external uses.
This adds documentation and scope definitions for these policies, as
well as deprecates the "modify_task" policy which is never used and
will be removed in the future. Control over the actual tasks API
remains coarse with the "tasks_api_access" policy until a future
release completes the above decoupling.
Implements: blueprint secure-rbac
Change-Id: I70a58acd78053b54187dba8e35273366f14c47a4
|
| |\ \ \ \ \ \
| |/ / / / / |
|
| | | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This commit updates the policies for image actions to use default roles
available from keystone. Specifically, we're updating the defaults to
user project-member and project-reader personas. The project-admin
persona is still reserved for administrative APIs access for system
administrators/operators. This will remain the case until we can
refactor portions of glance to make it easier to implement system-scope.
NOTE:
Glance is implementing Secure RBAC as EXPERIMENTAL in Wallaby, so to
enable it operator needs to set ``glance-api.conf [oslo_policy]
enforce_new_defaults=True`` and ``glance-api.conf
enforce_secure_rbac=True``
Implements: blueprint secure-rbac
Change-Id: If0c456617a9e17c006a6ffe2a83f4a73b53da3d0
|
| |\ \ \ \ \
| |_|_|/ /
|/| | | | |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The wait_for_copying() helper will exit the loop if the *last*
store is found in the list, instead of *all* of them. This technically
works if the stores are processed in the same order we are checking,
but it's fragile and likely to fail in confusing ways.
This makes us only exit if all of them are present.
Change-Id: I8d9ba50f46e22b6740fdbdec6f8ef7c61dddbcf1
|
| |\ \ \ \
| |/ / /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As noted in previous discussions, glance should clean its staging
directory on startup. This is important for scenarios where we
started an import operation, but failed in the middle. If, when we
recover, the image has already been deleted from the database, then
we will never remove the (potentially very large) residue from disk
in our staging directory.
This is currently a problem with web-download, but will also occur
with glance-direct once we have the non-shared distributed import
functionality merged.
Closes-Bug: #1913625
Change-Id: Ib80e9cfb58680f9e8ead5993dc206f4da882dd09
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This fixes the ImageStub in the test_cache_middleware module, which
does not implement enough of a real image to be usable in the next
patch where we need to dict() it. This does that refactor ahead of
time so that patch is smaller.
Change-Id: Ie86e0ae16c81fb7aa353dd350f0a4f3cf852d893
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This makes the copy_image plugin use the action wrapper for its
manipulation of the image, in line with all the others. This adds
image_size and image_locations properties to the wrapper, which
copy-image needs.
Change-Id: Id5251b77fe1671594912e0dcfef7296007dab9b5
|
| |\ \ \ \ \
| |/ / / / |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This makes the inject_image_metadata task use the ImportActionWrapper.
Because of the inbuilt rejection of internal os_glance_* property
manipulation, this also brings an operator-visible change to the
injection behavior. Specifically, os_glance_* keys can no longer be
injected via config (nor should they ever have been).
Change-Id: Ib1138ee2cd0383f14c710716f3c103a146b0c4dd
|
| |\ \ \ \ \
| |/ / / / |
|
