Update glance default policy values

Currently, when users try to navigate through horizon panels or use the command-line interface that contains calls to /api/glance/metadefs it will pop up insufficient permission errors due to the fact we are disabling [1] the metadef APIs in glance addressing OSSN-0088 [2]. As a side effect on how we address the OSSN, all API calls to metadefs will be forbidden for any user, which is not recommended in production environments. However, we have the current recommendation of the OSSN which allows CRUD of metadef to admin only and provide read access to all users. [1] aab5ee7711 [2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088 Story: 2008761 Task: 42128 Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242
2021-03-25 19:32:08 -03:00 · 2021-03-25 19:32:08 -03:00 · 8f38a1c45f
commit 8f38a1c45f
parent bd476a6677
6 changed files with 60 additions and 37 deletions
--- a/glance/Chart.yaml
+++ b/glance/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Glance
 name: glance
-version: 0.1.7
+version: 0.1.8
 home: https://docs.openstack.org/glance/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
 sources:
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -194,6 +194,8 @@ conf:
    filter:http_proxy_to_wsgi:
      paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory
  policy:
+    metadef_default: ''
+    metadef_admin: 'role:admin'
    context_is_admin: role:admin
    default: role:admin
    add_image: ''
@ -220,26 +222,32 @@ conf:
    modify_task: role:admin
    deactivate: ''
    reactivate: ''
-    get_metadef_namespace: '!'
-    get_metadef_namespaces: '!'
-    modify_metadef_namespace: '!'
-    add_metadef_namespace: '!'
-    get_metadef_object: '!'
-    get_metadef_objects: '!'
-    modify_metadef_object: '!'
-    add_metadef_object: '!'
-    list_metadef_resource_types: '!'
-    get_metadef_resource_type: '!'
-    add_metadef_resource_type_association: '!'
-    get_metadef_property: '!'
-    get_metadef_properties: '!'
-    modify_metadef_property: '!'
-    add_metadef_property: '!'
-    get_metadef_tag: '!'
-    get_metadef_tags: '!'
-    modify_metadef_tag: '!'
-    add_metadef_tag: '!'
-    add_metadef_tags: '!'
+    get_metadef_namespace: rule:metadef_default
+    get_metadef_namespaces: rule:metadef_default
+    modify_metadef_namespace: rule:metadef_admin
+    add_metadef_namespace: rule:metadef_admin
+    delete_metadef_namespace: rule:metadef_admin
+    get_metadef_object: rule:metadef_default
+    get_metadef_objects: rule:metadef_default
+    modify_metadef_object: rule:metadef_admin
+    add_metadef_object: rule:metadef_admin
+    delete_metadef_object: rule:metadef_admin
+    list_metadef_resource_types: rule:metadef_default
+    get_metadef_resource_type: rule:metadef_default
+    add_metadef_resource_type_association: rule:metadef_admin
+    remove_metadef_resource_type_association: rule:metadef_admin
+    get_metadef_property: rule:metadef_default
+    get_metadef_properties: rule:metadef_default
+    modify_metadef_property: rule:metadef_admin
+    add_metadef_property: rule:metadef_admin
+    remove_metadef_property: rule:metadef_admin
+    get_metadef_tag: rule:metadef_default
+    get_metadef_tags: rule:metadef_default
+    modify_metadef_tag: rule:metadef_admin
+    add_metadef_tag: rule:metadef_admin
+    add_metadef_tags: rule:metadef_admin
+    delete_metadef_tag: rule:metadef_admin
+    delete_metadef_tags: rule:metadef_admin
  glance:
    DEFAULT:
      log_config_append: /etc/glance/logging.conf
--- a/horizon/Chart.yaml
+++ b/horizon/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Horizon
 name: horizon
-version: 0.1.6
+version: 0.1.7
 home: https://docs.openstack.org/horizon/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
 sources:
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -1036,12 +1036,36 @@ conf:
        'volume_extension:volume_type_encryption': 'rule:admin_api'
        'volume_extension:volume_unmanage': 'rule:admin_api'
      glance:
+        metadef_default: ''
+        metadef_admin: 'role:admin'
+        get_metadef_namespace: 'rule:metadef_default'
+        get_metadef_namespaces: 'rule:metadef_default'
+        modify_metadef_namespace: 'rule:metadef_admin'
+        add_metadef_namespace: 'rule:metadef_admin'
+        delete_metadef_namespace: 'rule:metadef_admin'
+        get_metadef_object: 'rule:metadef_default'
+        get_metadef_objects: 'rule:metadef_default'
+        modify_metadef_object: 'rule:metadef_admin'
+        add_metadef_object: 'rule:metadef_admin'
+        delete_metadef_object: 'rule:metadef_admin'
+        list_metadef_resource_types: 'rule:metadef_default'
+        get_metadef_resource_type: 'rule:metadef_default'
+        add_metadef_resource_type_association: 'rule:metadef_admin'
+        remove_metadef_resource_type_association: 'rule:metadef_admin'
+        get_metadef_property: 'rule:metadef_default'
+        get_metadef_properties: 'rule:metadef_default'
+        modify_metadef_property: 'rule:metadef_admin'
+        add_metadef_property: 'rule:metadef_admin'
+        remove_metadef_property: 'rule:metadef_admin'
+        get_metadef_tag: 'rule:metadef_default'
+        get_metadef_tags: 'rule:metadef_default'
+        modify_metadef_tag: 'rule:metadef_admin'
+        add_metadef_tag: 'rule:metadef_admin'
+        add_metadef_tags: 'rule:metadef_admin'
+        delete_metadef_tag: 'rule:metadef_admin'
+        delete_metadef_tags: 'rule:metadef_admin'
        add_image: ''
        add_member: ''
-        add_metadef_namespace: ''
-        add_metadef_object: ''
-        add_metadef_property: ''
-        add_metadef_resource_type_association: ''
        add_task: ''
        admin_or_owner: 'is_admin:True or project_id:%(project_id)s'
        context_is_admin: 'role:admin'
@ -1050,28 +1074,17 @@ conf:
        delete_image: 'rule:admin_or_owner'
        delete_image_location: ''
        delete_member: ''
-        delete_metadef_namespace: ''
        download_image: ''
        get_image: ''
        get_image_location: ''
        get_images: ''
        get_member: ''
        get_members: ''
-        get_metadef_namespace: ''
-        get_metadef_namespaces: ''
-        get_metadef_object: ''
-        get_metadef_objects: ''
-        get_metadef_properties: ''
-        get_metadef_property: ''
        get_task: ''
        get_tasks: ''
-        list_metadef_resource_types: ''
        manage_image_cache: 'role:admin'
        modify_image: 'rule:admin_or_owner'
        modify_member: ''
-        modify_metadef_namespace: ''
-        modify_metadef_object: ''
-        modify_metadef_property: ''
        modify_task: ''
        publicize_image: ''
        set_image_location: ''
--- a/releasenotes/notes/glance.yaml
+++ b/releasenotes/notes/glance.yaml
@ -8,3 +8,4 @@ glance:
  - 0.1.5 Change Issuer to ClusterIssuer
  - 0.1.6 Update glance default policy values
  - 0.1.7 Update storage init script with cacert
+  - 0.1.8 Update glance default policy values
--- a/releasenotes/notes/horizon.yaml
+++ b/releasenotes/notes/horizon.yaml
@ -7,4 +7,5 @@ horizon:
  - 0.1.4 Change Issuer to ClusterIssuer
  - 0.1.5 Revert - Change Issuer to ClusterIssuer
  - 0.1.6 Change Issuer to ClusterIssuer
+  - 0.1.7 Update glance default policy values
 ...