Wallaby Series Release Notes

22.0.0

New Features

  • Glance now supports the glance-direct import method without needing shared storage common to all API workers. By telling each API worker the URL by which it can be reached directly (from the other workers), a shared staging directory can be avoided while still allowing users to upload their data for import. See the worker_self_reference_url config option for more details, as well as the Interoperable Image Import docs.

  • While fixing race condition issue during victoria we started updating ‘message’ property of the task which helps calculate time based on last updated time of task to burst the lock as well as show how much data has been copied of that image. As glance task API’s are restricted from use by normal users we are adding new API /v2/images/{image_id}/tasks which will return all tasks associated with that image. In addition to task information this API will also return request-id and user-id to help users in debugging.

  • Glance’s default policies now use the member role on projects to protect writeable and readable image actions. Support was also added for read-only access to image resources when the reader role is granted to users on a project. Administrative operations, like creating public images, is still protected using the admin role on a project. Administrative actions will be updated in the future to consume system-scope.

    We encourage you to compare any existing overrides in your deployment with the new defaults. You can use oslopolicy-sample-generator –namespace glance to generate the default policies and use them for comparison.

    The secure RBAC personas implemented in Wallaby are marked as experimental. They will become stable in a future release. You can read more about the various personas in keystone’s Administrator Guide.

    To enable this functionality, you must specify glance-api.conf [DEFAULT] enable_secure_rbac=True and glance-api.conf [oslo_policy] enforce_new_defaults=True. Glance will refuse to start if misconfigured.

Upgrade Notes

  • The default value of [oslo_policy] policy_file config option has been changed from policy.json to policy.yaml. Operators who are utilizing customized or previously generated static policy JSON files (which are not needed by default), should generate new policy files or convert them in YAML format. Use the oslopolicy-convert-json-to-yaml tool to convert a JSON to YAML formatted policy file in backward compatible way.

  • The inject_image_metadata task will no longer allow setting properties in the reserved os_glance_* namespace, in line with the blanket prohibition on such via the API. It has always been dangerous to do this, so no operator should have any such configuration in production. If any keys in this namespace are set, they will be dropped (and logged) during the injection process.

  • Glance now prevents setting or modifying image properties that are within the os_glance reserved namespace. Previously, individual properties (such as os_glance_importing_to_stores) were inconsistently disallowed, but now the entire namespace is enforced.

  • The Glance API configuration option admin_role, having been deprecated in the Ussuri release, is now removed. If present in a configuration file, it will be silently ignored.

  • The owner_is_tenant configuration option, which was deprecated in Rocky, has been removed in this release. As announced in the spec Deprecate owner_is_tenant, given that an operator survey indicated that this option was only used in its default value of True, no database migration is included in this release.

  • Glance now provides more granular RBAC access to the images API via default personas. This work is marked as experimental in Wallaby, and will be supported in a future release.

    Existing authorization and policies will continue to work, but we encourage operators to review the new policies and consolidate any redundant overrides with the new defaults if possible. Please review the feature section above for more details.

Deprecation Notes

  • Use of JSON policy files was deprecated by the oslo.policy library during the Victoria development cycle. As a result, this deprecation is being noted in the Wallaby cycle with an anticipated future removal of support by oslo.policy. As such operators will need to convert to YAML policy files. Please see the upgrade notes for details on migration of any custom policy files.

  • The policy check that we ran when an image is not found is removed. This previously allowed an operator to override the behavior of a 404 to be a 403, in contrast to the API documentation and design goals of defaulting to 404 for information-hiding reasons. This check is no longer run in the case of a NotFound result from the database, so any policy attempting to control that behavior will be ignored from now on.

  • The policies protecting the image API have been deprecated in favor of more consistent defaults that use the member and reader default roles from keystone. If your deployment relies on overriding the default policies, please review the new defaults and how they may impact your deployment.

    The unused modify_task policy has been deprecated for removal. It was never honored or checked as part of an API operation. As a result, it has been deprecated for removal since overriding it has no direct impact on the tasks API, which remains a deprecated, admin-only API.

Security Issues

  • The default policy for the metadef API has changed from “open to everyone” to “only admins can create and modify resources”. We believe that this is by far the most common use-case and the only sane default. See Bug 1916926 for more details.

  • Glance now ships experimental policies that support read-only image permissions. Users with the reader role on a project will be able to view generic image data, without the ability to make writeable changes using the images API. Please review the features section above for more information on enabling this functionality.

Bug Fixes

  • Bug 1913625: Glance will leak staging data

  • Bug 1914826: web-download with invalid url does not report error

  • Bug 1916011: test_migrate_image_after_upgrade failing because of glance cinder store change