Disable expose_image_locations whenever S3 is enabled
This is a follow-up change on Id2e9d4351513341b5ee41fa8a8d677aca6580fca Instead of relying users to set expose-image-locations=false which is error prone, disable expose_image_locations from the charm side whenever S3 backend is enabled not to expose credentials. Closes-Bug: 1935743 Change-Id: Iac0f27418eec6c818df8cc3fa1c133db38d26069
This commit is contained in:
parent
434ab4b5ee
commit
cacc3d5a5b
|
@ -104,18 +104,17 @@ Proceed with the common group of commands from the Ceph scenario.
|
|||
The step below assumes an external and pre-existing S3 compatible server
|
||||
available.
|
||||
|
||||
S3 server information can be passed via charm config options, and you
|
||||
must set `expose-image-locations` as false not to expose S3 credentials
|
||||
through Glance API.
|
||||
S3 server information can be passed via charm config options:
|
||||
|
||||
juju config glance \
|
||||
expose-image-locations=false \
|
||||
s3-store-host='http://my-object-storage.example.com:8080' \
|
||||
s3-store-access-key='ACCESS_KEY' \
|
||||
s3-store-secret-key='SECRET_KEY' \
|
||||
s3-store-bucket='BUCKET_NAME'
|
||||
|
||||
> **Note**: The S3 backend is supported starting with OpenStack Ussuri.
|
||||
Enabling S3 backend overrides `expose-image-locations` as false not to
|
||||
expose S3 credentials through Glance API.
|
||||
|
||||
### Local storage
|
||||
|
||||
|
|
16
config.yaml
16
config.yaml
|
@ -226,9 +226,14 @@ options:
|
|||
type: boolean
|
||||
default: True
|
||||
description: |
|
||||
Expose underlying image locations via the API when using Ceph for image
|
||||
storage. Only disable this option if you do not wish to use
|
||||
copy-on-write clones of RAW format images with Ceph in Cinder and Nova.
|
||||
Expose underlying image locations via the API. Enabling this is
|
||||
useful especially when using Ceph for image storage. Only disable
|
||||
this option if you do not wish to use copy-on-write clones of RAW
|
||||
format images with Ceph in Cinder and Nova.
|
||||
.
|
||||
NOTE: When S3 backend is enabled, this value will be ignored. The
|
||||
charm will not expose the image location for all backends not to
|
||||
expose S3 credentials.
|
||||
restrict-image-location-operations:
|
||||
type: boolean
|
||||
default: False
|
||||
|
@ -541,8 +546,9 @@ options:
|
|||
http://my-object-storage.example.com:8080
|
||||
.
|
||||
NOTE: The S3 backend can be enabled only for Ussuri or later
|
||||
releases with this charm. You must set expose-image-locations as
|
||||
false not to expose S3 credentials through Glance API.
|
||||
releases with this charm. Enabling S3 backend will override
|
||||
expose-image-locations as false not to expose S3 credentials
|
||||
through Glance API.
|
||||
s3-store-access-key:
|
||||
type: string
|
||||
default:
|
||||
|
|
|
@ -24,7 +24,8 @@ from charmhelpers.core.hookenv import (
|
|||
service_name,
|
||||
config,
|
||||
log as juju_log,
|
||||
ERROR
|
||||
ERROR,
|
||||
WARNING
|
||||
)
|
||||
|
||||
from charmhelpers.contrib.openstack.context import (
|
||||
|
@ -162,11 +163,6 @@ class ExternalS3Context(OSContextGenerator):
|
|||
"s3-store-bucket",
|
||||
)
|
||||
|
||||
def __init__(self):
|
||||
self.required_values = [
|
||||
config(key) for key in self.required_config_keys
|
||||
]
|
||||
|
||||
def __call__(self):
|
||||
try:
|
||||
self.validate()
|
||||
|
@ -183,12 +179,19 @@ class ExternalS3Context(OSContextGenerator):
|
|||
"s3_store_secret_key": config("s3-store-secret-key"),
|
||||
"s3_store_bucket": config("s3-store-bucket"),
|
||||
}
|
||||
if config("expose-image-locations"):
|
||||
juju_log("Forcibly overriding expose_image_locations "
|
||||
"not to expose S3 credentials", level=WARNING)
|
||||
ctxt["expose_image_locations"] = False
|
||||
return ctxt
|
||||
|
||||
return {}
|
||||
|
||||
def validate(self):
|
||||
if all(self.required_values):
|
||||
required_values = [
|
||||
config(key) for key in self.required_config_keys
|
||||
]
|
||||
if all(required_values):
|
||||
# The S3 backend was once removed in Newton development cycle and
|
||||
# added back in Ussuri cycle in Glance upstream. As we rely on
|
||||
# python3-boto3 in the charm, don't enable the backend before
|
||||
|
@ -202,7 +205,7 @@ class ExternalS3Context(OSContextGenerator):
|
|||
level=ERROR,
|
||||
)
|
||||
raise ValueError("{} is not supported".format(_release))
|
||||
elif any(self.required_values):
|
||||
elif any(required_values):
|
||||
juju_log(
|
||||
"Unable to use S3 backend without all required S3 options "
|
||||
"defined. Missing keys: {}".format(
|
||||
|
@ -264,7 +267,13 @@ class MultiBackendContext(OSContextGenerator):
|
|||
s3_ctx = ExternalS3Context()()
|
||||
if not s3_ctx:
|
||||
return
|
||||
return s3_ctx
|
||||
ctx = {
|
||||
"s3_store_host": s3_ctx["s3_store_host"],
|
||||
"s3_store_access_key": s3_ctx["s3_store_access_key"],
|
||||
"s3_store_secret_key": s3_ctx["s3_store_secret_key"],
|
||||
"s3_store_bucket": s3_ctx["s3_store_bucket"],
|
||||
}
|
||||
return ctx
|
||||
|
||||
def __call__(self):
|
||||
ctxt = {
|
||||
|
|
|
@ -202,7 +202,8 @@ CONFIG_FILES = OrderedDict([
|
|||
service=['glance-api'],
|
||||
config_file=GLANCE_API_CONF),
|
||||
context.MemcacheContext(),
|
||||
glance_contexts.GlanceImageImportContext()],
|
||||
glance_contexts.GlanceImageImportContext(),
|
||||
glance_contexts.ExternalS3Context()],
|
||||
'services': ['glance-api']
|
||||
}),
|
||||
(GLANCE_SWIFT_CONF, {
|
||||
|
|
|
@ -211,12 +211,14 @@ class TestGlanceContexts(CharmTestCase):
|
|||
secret_key = 'my-secret-key'
|
||||
bucket = 'my-bucket'
|
||||
config = {
|
||||
'expose-image-locations': True,
|
||||
's3-store-host': host_name,
|
||||
's3-store-access-key': access_key,
|
||||
's3-store-secret-key': secret_key,
|
||||
's3-store-bucket': bucket}
|
||||
self.config.side_effect = lambda x: config[x]
|
||||
expected_ctx = {
|
||||
'expose_image_locations': False,
|
||||
's3_store_host': host_name,
|
||||
's3_store_access_key': access_key,
|
||||
's3_store_secret_key': secret_key,
|
||||
|
@ -400,6 +402,7 @@ class TestGlanceContexts(CharmTestCase):
|
|||
s3_secret_key = 'my-secret-key'
|
||||
s3_bucket = 'my-bucket'
|
||||
conf_dict = {
|
||||
'expose-image-locations': True,
|
||||
'filesystem-store-datadir': data_dir,
|
||||
's3-store-host': s3_host,
|
||||
's3-store-access-key': s3_access_key,
|
||||
|
|
Loading…
Reference in New Issue