openstack
/
charm-glance
Code Issues Proposed changes

Disable expose_image_locations whenever S3 is enabled 

This is a follow-up change on Id2e9d4351513341b5ee41fa8a8d677aca6580fca
Instead of relying users to set expose-image-locations=false which is
error prone, disable expose_image_locations from the charm side whenever
S3 backend is enabled not to expose credentials.

Closes-Bug: 1935743
Change-Id: Iac0f27418eec6c818df8cc3fa1c133db38d26069
This commit is contained in:
Nobuto Murata 2021-07-10 22:45:35 +09:00
parent 434ab4b5ee
commit cacc3d5a5b
5 changed files with 37 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -104,18 +104,17 @@ Proceed with the common group of commands from the Ceph scenario.
The step below assumes an external and pre-existing S3 compatible server
available.
S3 server information can be passed via charm config options, and you
must set `expose-image-locations` as false not to expose S3 credentials
through Glance API.
S3 server information can be passed via charm config options:
juju config glance \
expose-image-locations=false \
s3-store-host='http://my-object-storage.example.com:8080' \
s3-store-access-key='ACCESS_KEY' \
s3-store-secret-key='SECRET_KEY' \
s3-store-bucket='BUCKET_NAME'
> **Note**: The S3 backend is supported starting with OpenStack Ussuri.
Enabling S3 backend overrides `expose-image-locations` as false not to
expose S3 credentials through Glance API.
### Local storage

16
config.yaml
View File

@ -226,9 +226,14 @@ options:
type: boolean
default: True
description: |
Expose underlying image locations via the API when using Ceph for image
storage. Only disable this option if you do not wish to use
copy-on-write clones of RAW format images with Ceph in Cinder and Nova.
Expose underlying image locations via the API. Enabling this is
useful especially when using Ceph for image storage. Only disable
this option if you do not wish to use copy-on-write clones of RAW
format images with Ceph in Cinder and Nova.
.
NOTE: When S3 backend is enabled, this value will be ignored. The
charm will not expose the image location for all backends not to
expose S3 credentials.
restrict-image-location-operations:
type: boolean
default: False
@ -541,8 +546,9 @@ options:
http://my-object-storage.example.com:8080
.
NOTE: The S3 backend can be enabled only for Ussuri or later
releases with this charm. You must set expose-image-locations as
false not to expose S3 credentials through Glance API.
releases with this charm. Enabling S3 backend will override
expose-image-locations as false not to expose S3 credentials
through Glance API.
s3-store-access-key:
type: string
default:

27
hooks/glance_contexts.py
View File

@ -24,7 +24,8 @@ from charmhelpers.core.hookenv import (
service_name,
config,
log as juju_log,
ERROR
ERROR,
WARNING
)
from charmhelpers.contrib.openstack.context import (
@ -162,11 +163,6 @@ class ExternalS3Context(OSContextGenerator):
"s3-store-bucket",
)
def __init__(self):
self.required_values = [
config(key) for key in self.required_config_keys
]
def __call__(self):
try:
self.validate()
@ -183,12 +179,19 @@ class ExternalS3Context(OSContextGenerator):
"s3_store_secret_key": config("s3-store-secret-key"),
"s3_store_bucket": config("s3-store-bucket"),
}
if config("expose-image-locations"):
juju_log("Forcibly overriding expose_image_locations "
"not to expose S3 credentials", level=WARNING)
ctxt["expose_image_locations"] = False
return ctxt
return {}
def validate(self):
if all(self.required_values):
required_values = [
config(key) for key in self.required_config_keys
]
if all(required_values):
# The S3 backend was once removed in Newton development cycle and
# added back in Ussuri cycle in Glance upstream. As we rely on
# python3-boto3 in the charm, don't enable the backend before
@ -202,7 +205,7 @@ class ExternalS3Context(OSContextGenerator):
level=ERROR,
)
raise ValueError("{} is not supported".format(_release))
elif any(self.required_values):
elif any(required_values):
juju_log(
"Unable to use S3 backend without all required S3 options "
"defined. Missing keys: {}".format(
@ -264,7 +267,13 @@ class MultiBackendContext(OSContextGenerator):
s3_ctx = ExternalS3Context()()
if not s3_ctx:
return
return s3_ctx
ctx = {
"s3_store_host": s3_ctx["s3_store_host"],
"s3_store_access_key": s3_ctx["s3_store_access_key"],
"s3_store_secret_key": s3_ctx["s3_store_secret_key"],
"s3_store_bucket": s3_ctx["s3_store_bucket"],
}
return ctx
def __call__(self):
ctxt = {

3
hooks/glance_utils.py
View File

@ -202,7 +202,8 @@ CONFIG_FILES = OrderedDict([
service=['glance-api'],
config_file=GLANCE_API_CONF),
context.MemcacheContext(),
glance_contexts.GlanceImageImportContext()],
glance_contexts.GlanceImageImportContext(),
glance_contexts.ExternalS3Context()],
'services': ['glance-api']
}),
(GLANCE_SWIFT_CONF, {

3
unit_tests/test_glance_contexts.py
View File

@ -211,12 +211,14 @@ class TestGlanceContexts(CharmTestCase):
secret_key = 'my-secret-key'
bucket = 'my-bucket'
config = {
'expose-image-locations': True,
's3-store-host': host_name,
's3-store-access-key': access_key,
's3-store-secret-key': secret_key,
's3-store-bucket': bucket}
self.config.side_effect = lambda x: config[x]
expected_ctx = {
'expose_image_locations': False,
's3_store_host': host_name,
's3_store_access_key': access_key,
's3_store_secret_key': secret_key,
@ -400,6 +402,7 @@ class TestGlanceContexts(CharmTestCase):
s3_secret_key = 'my-secret-key'
s3_bucket = 'my-bucket'
conf_dict = {
'expose-image-locations': True,
'filesystem-store-datadir': data_dir,
's3-store-host': s3_host,
's3-store-access-key': s3_access_key,