Jump to: navigation, search

Difference between revisions of "Glance-deactivate-image"

m (Who can deactivate an image?)
m (Proposal)
Line 3: Line 3:
 
== Proposal ==
 
== Proposal ==
 
Introduce a new image status, 'deactivated'.  When an image is in this state, access to the image's data (i.e., what's stored in /v2/images{image_id}/file) would be prohibited to any non-admin user.
 
Introduce a new image status, 'deactivated'.  When an image is in this state, access to the image's data (i.e., what's stored in /v2/images{image_id}/file) would be prohibited to any non-admin user.
 +
 +
=== Deny other operations? ===
 +
This would allow other access to the image, e.g., it could be shared to more users (but those users wouldn't be able to use the image).  We don't think this is a problem ... but we are open to other opinions!
  
 
== FAQ ==
 
== FAQ ==

Revision as of 16:11, 14 February 2014

This is the full specification for the blueprint https://blueprints.launchpad.net/glance/+spec/deactivate-image

Proposal

Introduce a new image status, 'deactivated'. When an image is in this state, access to the image's data (i.e., what's stored in /v2/images{image_id}/file) would be prohibited to any non-admin user.

Deny other operations?

This would allow other access to the image, e.g., it could be shared to more users (but those users wouldn't be able to use the image). We don't think this is a problem ... but we are open to other opinions!

FAQ

What does deactivating an image mean and what does it do?

Deactivating an image aims to essentially restrict any further instance builds from it. To achieve this, we propose to prohibit image downloads on a deactivated image. For ex: when someone tries to boot an instance off of a deactivated image, nova would be unable to fetch the image data and eventually fail. Prohibiting image downloads will also prohibit operations such as image export and image cloning that may require image data.

Why prohibit image export and image cloning?

These two operations may result in further instance boots as one gets access to image data. Hence, we propose to prohibit these as well.

When can an image be deactivated?

An image can be deactivated only when it is already active. An image in any other status cannot be deactivated.

Is the image data still available when the image is deactivated?

Yes, the image data at all its locations will still be intact, just that no one would be able to download the image and hence, no one would be able to do any operations that require image data like, instance boot, image export and image cloning.

Who can deactivate an image?

There may be a use case for allowing a user to deactivate an image, but we see this primarily as an admin operation. If it's exposed to users, then they could reactivate an image that the glance admin has placed under investigation. Hence this operation should be restricted to admins.

Another possibility would be to protect the deactivate action by a policy where the default setting would be admin-only. Then it would be up to the deployer to decide who is allowed access to the call.