Add ignore_project_check_for_admin_tasks config option

Add a new config variable to ignore project_id checks in administrative tasks Partial-Bug: #2099276 Change-Id: I3c6ba8f995a2781229c07c047f66e6737109cdc9
2025-02-28 15:59:07 +00:00 · 2025-02-28 15:59:07 +00:00 · 1dbb501cd1
commit 1dbb501cd1
parent cb38526302
3 changed files with 15 additions and 1 deletions
--- a/ironic/common/glance_service/service_utils.py
+++ b/ironic/common/glance_service/service_utils.py
@ -22,7 +22,7 @@ from oslo_utils import timeutils
 from oslo_utils import uuidutils

 from ironic.common import exception
-
+from ironic.conf import CONF

 _IMAGE_ATTRIBUTES = ['size', 'disk_format', 'owner',
                     'container_format', 'checksum', 'id',
@ -115,6 +115,7 @@ def is_image_available(context, image):
    image_visibility = getattr(image, 'visibility', None)
    image_owner = getattr(image, 'owner', None)
    image_id = getattr(image, 'id', 'unknown')
+    is_admin = 'admin' in getattr(context, 'roles', [])
    project_id = getattr(context, 'project_id', None)
    project = getattr(context, 'project', 'unknown')
    # The presence of an auth token implies this is an authenticated
@ -130,6 +131,9 @@ def is_image_available(context, image):
    if project_id and image_owner == project_id:
        return True

+    if is_admin and CONF.ignore_project_check_for_admin_tasks:
+        return True
+
    LOG.info(
        'Access to %s owned by %s denied to requester %s',
        image_id, image_owner, project
--- a/ironic/conf/default.py
+++ b/ironic/conf/default.py
@ -69,6 +69,12 @@ api_opts = [
               default='/etc/ironic/htpasswd',
               help=_('Path to Apache format user authentication file used '
                      'when auth_strategy=http_basic')),
+    cfg.BoolOpt(
+        'ignore_project_check_for_admin_tasks',
+        default=True,
+        help=_('If True, allows admin tasks to access image without'
+               'matching project_id')
+    ),
    cfg.BoolOpt('debug_tracebacks_in_api',
                default=False,
                help=_('Return server tracebacks in the API response for any '
--- a/releasenotes/notes/add_ignore_project_check_for_admin_tasks-54007fb30017296f.yaml
+++ b/releasenotes/notes/add_ignore_project_check_for_admin_tasks-54007fb30017296f.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - If `ignore_project_check_for_admin_tasks` is set to `True`, the system will check if the requester
+   is an admin for verifying image availability, bypassing the project check for administrative tasks.