openstack-manuals

Restrict users from downloading protected image

Bug #1363415 reported by OpenStack Infra on 2014-08-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-api-site	Fix Released	Medium	Diane Fleming	openstack-api-site liberty
	openstack-manuals	Fix Released	Medium	Darren Chan	openstack-manuals juno

Bug Description

https://review.openstack.org/98737
commit 0656386e99b0c9ed5b5ba4a1e17f0b8d7d50aad6
Author: Abhishek Kekane <email address hidden>
Date: Wed Jun 4 13:55:06 2014 +0000

Restrict users from downloading protected image

Added new rule in policy.json and applied that rule to
'download_image' policy.

    For example,
    "restricted": "not ('test_key':(test_key)s and role:_member_)"
    "download_image": "role:admin or rule:restricted"

    So if 'download_image' policy is enforced then in above case only admin or
    user who satisfies rule 'restricted' will able to download image. Other users
    will not be able to download the image and will get 403 Forbidden response.

In addition, delete property access should be restricted for other users
so that they will not be able to delete the property of the image.

    [test_key]
    create = admin,member
    read = admin,member,_member_
    update = admin,member
    delete = admin,member

    Added new method to create dictionary-like mashup of image core and custom
    properties.
    Modified v1 and v2 api to add download restriction.
    Modified logic of caching to restrict download for v1 and v2 api.

    DocImpact:
    Need to add new rule in policy.json
    "restricted": "not ('test_key':%(test_key)s and role:_member_)"

blueprint: restrict-downloading-images-protected-properties

Change-Id: I05bad0441952150bd15b831ac1b1a0bb9ae79c74

Tags:

Tom Fifield (fifieldt) on 2014-09-04

Changed in openstack-manuals:
milestone:	none → juno
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Anne Gentle (annegentle) wrote on 2014-09-29:

Needs to be added both to Cloud Admin Guide in openstack/openstack-manuals and also indicated why they'd get a 403 in the Image API v1 and v2 docs in openstack/api-site.

Changed in openstack-api-site:
status:	New → Confirmed
importance:	Undecided → Medium
Changed in openstack-manuals:
assignee:	nobody → Anne Gentle (annegentle)

Anne Gentle (annegentle) on 2014-09-29

Changed in openstack-manuals:
assignee:	Anne Gentle (annegentle) → nobody

Darren Chan (dazzachan) on 2014-11-25

Changed in openstack-manuals:
assignee:	nobody → Darren Chan (dazzachan)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-25: Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/136963

Changed in openstack-manuals:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-28: Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/136963
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=7bc575de91f8249d1f83981b079cb0155d9fc4a6
Submitter: Jenkins
Branch: master

commit 7bc575de91f8249d1f83981b079cb0155d9fc4a6
Author: darrenchan <email address hidden>
Date: Tue Nov 25 15:14:10 2014 +1100

Added details about editing policy.json in the Cloud Administrator Guide

Added more detail on defining policies and rules in the the policy.json file

    Change-Id: Ia301a176b1b299dfb2cc302bba6645cfdeaa966c
    backport: none
    Closes-Bug: #1363415

Changed in openstack-manuals:
status:	In Progress → Fix Released

Revision history for this message

Atsushi SAKAI (sakaia) wrote on 2015-07-29:

Let me clearify this issue.

1)Currently no error response is described on
http://developer.openstack.org/api-ref-image-v2.html#image-data-v2
If it adds 403, then need to add other responses.

2)it needs to describe follows? it seems just point from api-ref to cloud admin manual.
http://docs.openstack.org/admin-guide-cloud/content/glance-property-protection.html

Revision history for this message

Diane Fleming (diane-fleming) wrote on 2015-09-06:

https://review.openstack.org/220829

Changed in openstack-api-site:
assignee:	nobody → Diane Fleming (diane-fleming)
milestone:	none → liberty
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-18: Fix merged to api-site (master)

Reviewed: https://review.openstack.org/220829
Committed: https://git.openstack.org/cgit/openstack/api-site/commit/?id=e802fe25a463cb906ae87438e9245e3413fd36d1
Submitter: Jenkins
Branch: master

commit e802fe25a463cb906ae87438e9245e3413fd36d1
Author: Diane Fleming <email address hidden>
Date: Sun Sep 6 10:52:31 2015 -0500

Add 403 return code to image download for v2 and v1

Change-Id: I7bb4fdc73e15cee437c05b14bcdeb4d2920c2314
Closes-Bug: #1363415

Changed in openstack-api-site:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.