Restrict users from uploading volume to image based on glance protected properties

Registered by Tushar Patil on 2014-04-23

Image with protected properties concept was introduced in Glance in Havana release. One of the main use case of introducing this concept was for billing purpose.
i.e. owner of the image would create one or more custom protected properties for a licensed image and share it publicly to the users. When users uses this license image for creating new instances, owner will know who is using licensed images, for many hours and users will be charged accordingly. Also the meta data properties are copied when volume is created from the licensed image so that when this volume is used for booting vms, owner of the licensed image will know who is using it for billing purpose.
But presently, when you create a image from volume (volume created from licensed image), it allow user to create image as it only copies core properties leaving custom protected properties behind. This will allow user to use licensed image free of cost. Also he/she can share this image with another tenants. This will be a big blow to the owner of the licensed image. To avoid this, it is necessary to copy custom properties when you create a image from volume. If the glance deployer has allowed only administrator/owner to create custom protected properties, then normal user wouldn’t be able to create image from volume and use licensed image maliciously.

For example /etc/glance/protected-properties.conf
[^x_billing_code_ntt_xyz.*]
create = admin,owner
read = admin,Member,_member_
update = admin,owner
delete = admin,owner

Blueprint information

Status:
Complete
Approver:
John Griffith
Priority:
Medium
Drafter:
Tushar Patil
Direction:
Approved
Assignee:
Pranali Deore
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
John Griffith on 2014-06-10
Completed by
John Griffith on 2014-07-23

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/restrict-uploading-volume-to-image,n,z

Addressed by: https://review.openstack.org/95954
    Copy custom properties to image from volume

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.