From 6fe3626bb539b1496136843324e1d1be84b9c42f Mon Sep 17 00:00:00 2001 From: Mike Fedosin Date: Fri, 21 Aug 2015 19:36:42 +0300 Subject: [PATCH] Disable v3 API by default Since v3 is still unstable and has experimental status it's better to disable it by default for security reasons. This commit does it by setting 'enable_v3_api=False'. Also all required documentation was added to related sections. DocImpact Change-Id: I412d0645d667400333532123008a24966aa23880 --- doc/source/configuring.rst | 23 ++++++++++--------- etc/glance-api.conf | 3 +++ glance/api/__init__.py | 6 ++--- glance/common/config.py | 2 +- .../integration/legacy_functional/base.py | 4 ++++ glance/tests/integration/v2/base.py | 4 ++++ glance/tests/unit/test_versions.py | 20 ++++------------ 7 files changed, 31 insertions(+), 31 deletions(-) diff --git a/doc/source/configuring.rst b/doc/source/configuring.rst index 481272a082..c8fe6e8ad7 100644 --- a/doc/source/configuring.rst +++ b/doc/source/configuring.rst @@ -1325,9 +1325,9 @@ Optional. Default: ``True`` Defines which version(s) of the Registry API will be enabled. If the Glance API server parameter ``enable_v1_api`` has been set to ``True`` the ``enable_v1_registry`` has to be ``True`` as well. -If the Glance API server parameter ``enable_v2_api`` has been set to ``True`` and -the parameter ``data_api`` has been set to ``glance.db.registry.api`` the -``enable_v2_registry`` has to be set to ``True`` +If the Glance API server parameter ``enable_v2_api`` or ``enable_v3_api`` has been +set to ``True`` and the parameter ``data_api`` has been set to +``glance.db.registry.api`` the ``enable_v2_registry`` has to be set to ``True`` Configuring Notifications @@ -1382,9 +1382,9 @@ Optional. Default: ``roles``. Configuring Glance APIs ----------------------- -The glance-api service implements versions 1 and 2 of the OpenStack -Images API. Disable either version of the Images API using the -following options: +The glance-api service implements versions 1, 2 and 3 of +the OpenStack Images API. Disable any version of +the Images API using the following options: * ``enable_v1_api=`` @@ -1394,11 +1394,12 @@ Optional. Default: ``True`` Optional. Default: ``True`` -**IMPORTANT NOTE**: The v1 API is implemented on top of the -glance-registry service while the v2 API is not. This means that -in order to use the v2 API, you must copy the necessary sql -configuration from your glance-registry service to your -glance-api configuration file. +* ``enable_v3_api=`` + +Optional. Default: ``False`` + +**IMPORTANT NOTE**: To use v2 registry in v2 or v3 API, you must set +``data_api`` to glance.db.registry.api in glance-api.conf. Configuring Glance Tasks ------------------------ diff --git a/etc/glance-api.conf b/etc/glance-api.conf index 12af98d903..6a4e1e5fe8 100644 --- a/etc/glance-api.conf +++ b/etc/glance-api.conf @@ -64,6 +64,9 @@ backlog = 4096 # Allow access to version 2 of glance api #enable_v2_api = True +# Allow access to version 3 of glance api +#enable_v3_api = False + # Return the URL that references where the data is stored on # the backend storage system. For example, if using the # file system store a URL of 'file:///path/to/image' will diff --git a/glance/api/__init__.py b/glance/api/__init__.py index af69df76b5..c85040a57a 100644 --- a/glance/api/__init__.py +++ b/glance/api/__init__.py @@ -20,10 +20,10 @@ def root_app_factory(loader, global_conf, **local_conf): - if not CONF.enable_v1_api: + if not CONF.enable_v1_api and '/v1' in local_conf: del local_conf['/v1'] - if not CONF.enable_v2_api: + if not CONF.enable_v2_api and '/v2' in local_conf: del local_conf['/v2'] - if not CONF.enable_v3_api: + if not CONF.enable_v3_api and '/v3' in local_conf: del local_conf['/v3'] return paste.urlmap.urlmap_factory(loader, global_conf, **local_conf) diff --git a/glance/common/config.py b/glance/common/config.py index ecd40a6e2a..7e53843429 100644 --- a/glance/common/config.py +++ b/glance/common/config.py @@ -150,7 +150,7 @@ help=_("Deploy the v1 OpenStack Images API.")), cfg.BoolOpt('enable_v2_api', default=True, help=_("Deploy the v2 OpenStack Images API.")), - cfg.BoolOpt('enable_v3_api', default=True, + cfg.BoolOpt('enable_v3_api', default=False, help=_("Deploy the v3 OpenStack Objects API.")), cfg.BoolOpt('enable_v1_registry', default=True, help=_("Deploy the v1 OpenStack Registry API.")), diff --git a/glance/tests/integration/legacy_functional/base.py b/glance/tests/integration/legacy_functional/base.py index b094d91ead..499a007b65 100644 --- a/glance/tests/integration/legacy_functional/base.py +++ b/glance/tests/integration/legacy_functional/base.py @@ -55,6 +55,7 @@ /: apiversions /v1: apiv1app /v2: apiv2app +/v3: apiv3app [app:apiversions] paste.app_factory = glance.api.versions:create_resource @@ -65,6 +66,9 @@ [app:apiv2app] paste.app_factory = glance.api.v2.router:API.factory +[app:apiv3app] +paste.app_factory = glance.api.v3.router:API.factory + [filter:versionnegotiation] paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory diff --git a/glance/tests/integration/v2/base.py b/glance/tests/integration/v2/base.py index 98d478a073..5cd9c296c7 100644 --- a/glance/tests/integration/v2/base.py +++ b/glance/tests/integration/v2/base.py @@ -58,6 +58,7 @@ /: apiversions /v1: apiv1app /v2: apiv2app +/v3: apiv3app [app:apiversions] paste.app_factory = glance.api.versions:create_resource @@ -68,6 +69,9 @@ [app:apiv2app] paste.app_factory = glance.api.v2.router:API.factory +[app:apiv3app] +paste.app_factory = glance.api.v3.router:API.factory + [filter:versionnegotiation] paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory diff --git a/glance/tests/unit/test_versions.py b/glance/tests/unit/test_versions.py index 8be83a396b..eb029e0901 100644 --- a/glance/tests/unit/test_versions.py +++ b/glance/tests/unit/test_versions.py @@ -34,12 +34,6 @@ def test_get_version_list(self): self.assertEqual('application/json', res.content_type) results = jsonutils.loads(res.body)['versions'] expected = [ - { - 'status': 'EXPERIMENTAL', - 'id': 'v3.0', - 'links': [{'href': 'http://127.0.0.1:9292/v3/', - 'rel': 'self'}], - }, { 'id': 'v2.3', 'status': 'CURRENT', @@ -89,12 +83,6 @@ def test_get_version_list_public_endpoint(self): self.assertEqual('application/json', res.content_type) results = jsonutils.loads(res.body)['versions'] expected = [ - { - 'status': 'EXPERIMENTAL', - 'id': 'v3.0', - 'links': [{'href': 'https://example.com:9292/v3/', - 'rel': 'self'}], - }, { 'id': 'v2.3', 'status': 'CURRENT', @@ -184,13 +172,13 @@ def test_request_url_v2_2(self): def test_request_url_v3(self): request = webob.Request.blank('/v3/artifacts') - self.middleware.process_request(request) - self.assertEqual('/v3/artifacts', request.path_info) + resp = self.middleware.process_request(request) + self.assertIsInstance(resp, versions.Controller) def test_request_url_v3_0(self): request = webob.Request.blank('/v3.0/artifacts') - self.middleware.process_request(request) - self.assertEqual('/v3/artifacts', request.path_info) + resp = self.middleware.process_request(request) + self.assertIsInstance(resp, versions.Controller) def test_request_url_v2_3_unsupported(self): request = webob.Request.blank('/v2.3/images')