Image uploads to the SUSE Cloud

Option A:

As mentioned, an OpenStack admin would have to configure the policies on his OpenStack cloud to have "cloud uploader" role with limited permissions. That would be done by changing a policy.json file.

Required permissions would be 'publicize_image' and 'add_image', and optionally 'delete_image'.

That user could then be used to upload images. OpenStack stores images per project, not per user. From my understanding that would mean that an OpenStack admin would have to setup an OpenStack user that only has the cloud upload role. That account would be registered in OBS. Once this is done that admin could grant and revoke OBS users permissions to upload via that OBS uploader account.

That would limit the impact in case that someone gets and abuses the permissions. But it would still mean we have to deal with storing credentials (user and password in this case, because tokens are temporary).

Thinking about this option a bit more... I don't think we will be able to distinguish between OpenStack users with only uploader roles and users with additional roles. So in theory a user could just register his credentials (with full permissions) in OBS and use that one.

So unless this process of registering OBS cloud upload users is controlled by an OBS admin, it's very easy to circumvent such a setup. Which would make it pointless.

Unless there is another option, I don't think a cloud upload is doable for our online service. It might still be an option for an internal OBS / OpenStack setup.

Option B:

Have a polling service (eg. cron job or more elaborated daemon) that fetches images from OBS. What images would have to be configured.

Option C:

Don't touch anything and just document the OpenStack image upload Christian mentioned.

Option D:

Also an idea from the Cloud people: Have a cloud upload option in osc that fetches an image and uploads it to a cloud.

Advantage here (like in B) would be that the credentials would be stored locally and we don't have to deal with them.