Ask Your Question

How do you configure glance to allow snapshots but not image creation?

asked 2013-07-31 05:28:16 -0500

OpenStackIsFun gravatar image

updated 2013-07-31 12:18:24 -0500

smaffulli gravatar image

Is there a way of configuring the glance policy to prevent users from creating/uploading new images, yet still allow creating snapshots?

I've changed /etc/glance/policy.json as per the example in the (glance documentation) :

"add_image": "role:admin",
"modify_image": "role:admin",
"delete_image": "role:admin"

but this also prevents taking snapshots. I'm using Grizzly to provide self-service VM creation in a private internal setup, so we need to restrict what images users can launch.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2013-08-02 11:01:08 -0500

armando-migliaccio gravatar image

Glance has no concept of differential images as far as I can tell (or at least not yet), so creating/uploading snapshots is equivalent to creating/uploading images; hence you cannot grant access to one and deny the other. That said, if you are talking about snapshotting of running VM's, your low-privs users can still snapshot instances by using the Compute API directly. Denying access to the Glance API altogether will allow you to prevent your users from creating images from scratch.

edit flag offensive delete link more


"Hi! Thanks for the answer. "by using the Compute API directly" - you mean nova REST API? I tried to create a snapshot through horizon (OS Havana) and it shows unauthorized. I see that it goes through Nova API as expected, but Nova API seems to be using user's creds, instead of it's own, and therefore unauthorized.

max-lobur gravatar imagemax-lobur ( 2014-08-07 18:49:05 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-07-31 05:28:16 -0500

Seen: 835 times

Last updated: Aug 02 '13