Is there a way to restrict image upload to only admins while allowing users to create instances' and volume snapshots?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux Openstack Platform v4.0

Issue

We have a new secruity policy to be in place, which asks us to:

  • Disable normal users from upload/create openstack images.

  • Allow only root to upload/create openstack images.

  • All users still keep their rights to create instance snapshots, and vloume snapshots.

It's easy to restrict image upload to only admin using /etc/glance/policy.json, but this also removes the capability of normal users to create instance snapshots and volume snapshots. So how can we restrict image upload to only admin users without removing the instance and volume snapshot facility for normal users?

Resolution

Segment glance's deployment in nodes that allow images to be created and nodes that forbid this. So, nova nodes would talk to the glance-api node that allows users to create images whereas the user will access the glance-api nodes that forbid this.

This can be achieved either by having multiple glance-api nodes (Eg: node-x will allow image upload, but accessible only by nova nodes and node-y will not allow image upload by normal users and will be the end point for normal users) or, if this is not possible, by starting multiple glance-api process on a single node bound to two different network interface cards, one for nova nodes and other for users. We recommend the former setup, if possible.

Moreover upstream has started to discuss a way to do this in a saner way but it's likely to part of the Juno release.

Below steps can be followed to separate glance to two different physical nodes, one to be used by nova which allows image upload and the other one for use with users which disables image upload.

1 - On original glance node (let us call it glance1), disable image upload by normal users by adding below to /etc/glance/policy.json

    "add_image": "role:admin"

Keystone end-points for images will be pointing to this node.

2 - Set up an additional glance node (let us call it glance2) which allows image upload for all users. ie keep default /etc/glance/policy.json

  • Copy /etc/glance/glance-api.conf and /etc/glance/glance-registry.conf to new glance node.
  • Make sure that auth_host, auth_uri, qpid_hostname and sql_connection is properly configured in /etc/glance/glance-api.conf of new node. (The original file may be using localhost for this configuration if the same service is running on the same node)

3 - Both glance nodes should use the same image store. This can be achieved by using swift back end for images or using NFS or a volume mounted from SAN and etc.

4 - On both nova-api server and nova-compute nodes, modify /etc/nova/nova.conf to point to the glance2 for image service.

glance_host=glance2
glance_api_servers=http://glance2:9292/v1

5 - Restart openstack-nova-api and openstack-nova-compute service on required nodes.

Now normal users will not be able to upload images to glance, but they will be able to create snapshot for instances and volumes they create.

Note that, for security purpose, glance2 node that we set up should not be reachable for public users. It need to be reachable only from compute nodes. Please do not add it to public network by setting up a public IP on this node. Connect it only to the openstack management network.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.